GDPR update and its impact on accountancy practices Richard Kemp, Kemp IT Law 29 March 2017 Presentation to The Alternative Accountancy Strategic IT Conference
Elizabeth Denham speech to ICAEW, 17.01.17 u u u On a basic level, your jobs involve handling personal data. Payroll info, employee details, people s expenditures. It s your responsibility to keep that information secure and ensure that individuals rights are respected, with the risk of enforcement action and damaging publicity for your company if you get that wrong. The GDPR doesn t change that. If anything, it places more onus on you to handle information correctly. For the businesses you work with, that includes keeping data secure by protecting it from cyber attack, a growing area of risk. I know that for most businesses, you re not just the people who do the accounts. You re a source of advice, good practice, assurance and protection from risk. You re in a good position to explain to your clients and organisations how the issues I m going to talk about today are a competitive advantage if they get them right.
Quick GDPR update u Brexit u The big question is what happens when the UK leaves the EU. It s possible that, Parliament will debate amending the GDPR.. we will be banging our drum for continued protection and rights for consumers and clear laws for organisations. HMG will also need to answer questions about whether the UK will keep the UK s data protection law at an equivalent standard to the EU, to allow unrestricted data flows with EU countries. We need strong data protection laws to achieve all that. u Privacy Shield u The EU-US Privacy Shield is subject to a review in summer 2017 the advice for businesses is that Privacy Shield is a legitimate basis for transferring personal data to the US. The ICO welcomed the additional safeguards it provided compared to the previous safe harbour arrangement. u Article 29 WP currently preparing GDPR guidance u More guidance, consultations at national level u March 2017 ICO Consultation/Draft Guidance on Consent u March 2017 RoI DPC Consultation on Consent, Profiling, Personal Data Breach Notifications and Certification
Sources of duties and obligations u general law negligence, DPA/GDPR, etc u professional conduct u ICAEW Code of Ethics, section 130.1(b): The principle of professional competence and due care imposes the obligations on all professional accountants to act diligently in accordance with applicable technical and professional standards when providing professional services. u ACCA Global Quality Assurance Standards, paragraph 2.7: Maintain systems to allow easy access to information stored electronically and implement controls to ensure the security and integrity of this data is safeguarded. u engagement arrangements u client engagement letters, etc u contractual flow-down of regulatory obligations where client is in a regulated sector (e.g. financial services, healthcare) u These may specifically impact e.g. information security, data protection, etc
Top concerns around the GDPR 9. accountability requirements 8. right to be forgotten 7. new duties for data processors 6. data breach notification 5. new profiling restrictions 4. new personal data categories 3. territorial scope 2. consent requirements 1. new penalties 21% 25% 26% 29% 32% 32% 34% 37% 42%
ICO s action list to prepare for GDPR
State of preparedness Nov 2016, Trust E
ICO s 12 steps to prepare for the GDPR 1. & 11 awareness u senior management u DPO/CISO/IT Director, etc u project plan up to May 2018 2. document what PD you hold u where it comes from u who it s shared with u do you need an information audit? 3. review and update privacy notices u engagement letters u privacy, security policies (staff handbook) u website & other notices
ICO s 12 steps to prepare for the GDPR 4. check procedures to meet individuals rights u right to be informed u deletion and rectification of PD u see also step 3 5. subject access requests u remote access to a secure self-service system u within one month 6. legal basis for processing personal data u consent u necessary for complying with a legal obligation
ICO s 12 steps to prepare for the GDPR 7. consent u freely given, specific, informed and unambiguous u evidenced u must be easily withdrawable 8. children u verify age u show parental/guardian consent 9. data breaches u breach of security u leading to loss, alteration, unauthorised disclosure of/access to PD u assess risk case by case u notify within 72 hours of awareness
ICO s 12 steps to prepare for the GDPR 10. Privacy Impact Assessments/by Design u for projects for e.g. new IT, data sharing, databases, services, etc. u carrying out & documenting the PIA process u identify need and describe data flows u identify privacy risks and assess solutions u agreed and record outcomes u integrate outcomes into project plan u consult stakeholders throughout process 12. International u who is your regulator? u where is data held (e.g. Cloud)? u model clauses, privacy shield, etc
Top tips & takeaways u importance of training and awareness - greatest risk is still the basics: u thumb drives u laptop left in taxi u loss of hard copy documents u documents faxed to wrong number u emphasis on data & system security u business continuity and recovery u data storage & deletion u firms cloud strategies u note importance of due diligence, reliance on ISO, etc standards
Top tips & takeaways u senior management buy-in u understand how the GDPR broadens and deepens obligations u put data protection accountability at the centre of your business processes u project planning in run up to May 2018 u strategy policy process statements u update: u documentation policies, procedures, etc u client engagement arrangements u assess data assets u develop a proportionate firm PIA policy u policy + template u Implement for new IT systems, etc and products/services