Becoming GDPR compliant
In the third and final installment of our interview with IRIS Data Protection Officer Vincenzo Ardilio, we assess how your practice can become GDPR compliant and how to ensure ongoing compliance.
What steps are IRIS taking to comply with GDPR?
We’ve been taking a “risk-based approach”. We established that our products and services that handle customer data would have the highest impact on people if things were to go wrong. We follow a three step process:
1. Carry out a gap analysis on each product/service to determine any shortcomings
2. Undertake a Risk-Assessment of the findings
3. Formulate an Action plan to resolve any issues
Whether it’s development of the product itself or a change in the way we do things, we’re making sure that we’ve got what we need to do on the radar.
Who is responsible for ensuring compliance in a practice?
Accountants and their practices need to be compliant, our products can help, but it won’t guarantee compliance– accountants are responsible for their own compliance.
For example, IRIS has to comply with the regulations in terms of our own HR, marketing, sales, support etc. In fact anywhere IRIS is in control of making the decisions about why and how we use personal data. Where we’re acting as a processor – for example, if we’re simply hosting data, our role is to help our customers to fulfill their legal obligations under GDPR. We have some legal responsibilities, for example around information security, but my view is that our most important role is to be an ally to our customers in respect to data protection.
Is there a regulatory body that’s going to measure or assess their compliance?
The Information Commissioner’s Office has the power to carry out audits but, until now, they haven’t had the resources to do so on a large scale. Enforcement audits tend to be very reactionary, so if there’s a breach or a complaint the practice would be audited to some degree. Businesses can also volunteer for audits from the Information Commissioner. Also if they’re going for a standard like ISO 27001, which focuses on information security, then there will be audits involved in that. It depends on how far the practice wants to go.
You said ISO 27001 is not mandatory, but is it a good thing for people to do?
I think for the larger practices it is. It demonstrates that they’re meeting a certain standard for security but it only deals with the information security aspect of data protection. That said, most breaches that the Information Commissioner gets involved in are normally around either marketing or security, so it’s probably a good investment to have something like ISO 27001.
Many practices will have a letter of engagement with their clients. Is that an acceptable way to demonstrate they have the necessary basis to hold their clients data?
Each practice will need to make that decision based on their own business relationship with their customers. What they would do is go to Article 6 of the regulation that lists the acceptable legal bases for using personal data. For example, one legal basis is ‘if it’s necessary for the performance of a contract to which the data subject is a party to.’ So this would apply if the legal standing of the letter of engagement is equal to a contract or a legally binding agreement with the data subject – assuming the client is the data subject and both parties have signed it. There’s no getting away from the fact that practices are going to need to get their own advice.
Do you have a suggested text we could put in our letter of engagement?
No, because that’s exactly what the GDPR is trying to get away from. That’s one of the failings of businesses under the Data Protection Act 1998. Some were just box-ticking and providing standard text without giving any thought to what they were actually doing with personal data and what the people they were dealing with would really want to know. It seemed to be about limiting the business’s own liability rather than being genuinely informative. Practices need to think about what they actually do with personal data and communicate this to their clients.
Would best practice be to get the letter of engagement signed on an annual basis?
It depends on the period of time that the letter of engagement is covering, the legal basis will last for as long as the letter of engagement is valid. In terms of the privacy notice (which is a separate requirement from the ‘legal basis’ issue), practices need to keep clients informed of all the explanations listed in Article 13 & 14 of the Regulation. So if practices change what they do with personal data between letters of engagement, they will need to find other ways of informing their clients about the way the practice is using clients’ personal data.