Preparing for GDPR
We continue our interview with IRIS Data Protection Officer Vincenzo Ardilio and discuss how to get your practice ready for GDPR. Click here to read our first blog.
What do you think are the biggest challenges facing practices dealing with GDPR?
I think the challenge for smaller practices is going to be navigating through the plethora of material that has been created by many GDPR ‘experts’. There are lots of myths around GDPR and data protection in general. I would advise them to go to the Information Commissioner’s blog which has a myth-busting section that will give them a sense of proportion on what the practice needs to do to comply.
What about the systems and processes used?
It would be a good idea to map out their processes and how they handle data. What the practice needs to demonstrate is that they’re in control of the personal data they use, so they need to think about how they would evidence that. I’d say it’s very difficult if they don’t know where the data is, who they disclose it to or where they get the information from. So mapping it out to some degree is necessary. As to how detailed they go, it’s a judgment call.
What kind of information should accountants share with their clients around GDPR?
The first principle of GDPR is about using personal data transparently and fairly. They’ve got to be transparent with the people who are affected by their use of personal data. In terms of practical advice, I would direct anyone new to creating privacy notices to the Information Commissioner’s Privacy Notices, Transparency and Control Code of Practice. That has really good advice on the sort of information they should provide and how. But ultimately, Articles 13 & 14 of the GDPR regulation list everything that should be in a privacy notice, so take a look and you’ll get an idea of what you should be telling clients and any other data subjects.
We recently conducted a survey on GDPR and we found only 42% of respondents could demonstrate they had the necessary basis to hold data. But if they updated their letter of engagement, they should cover that gap?
If the practice is entering into a contract with the data subject (e.g. the client), that’s a legal basis for using whatever personal information is relevant to the contract, the same if they’ve got a client’s consent. If an entity is under a legal obligation to use specific personal data, that’s another lawful basis for using the data and so on. The practice should look at Article 6.
I read that under GDPR all data breaches must be reported to the ICO. Is that correct?
It’s a myth that all data breaches must be reported. If the breach is unlikely to result in a risk to anyone’s “rights and freedoms” it does not need to be reported. For breaches that could be a risk to an individual’s rights and freedoms they do need to be reported to the ICO, and it should be done within 72 hours of discovery. For example, if an accountant sends an email containing confidential information about somebody to the wrong email address that would be a breach. The data protection lead would have to be informed so that they can advise the business on what action to take. Incidentally email is a big risk area and leads to some of the most common breaches.
Another risk to consider is social engineering or “blagging”. For example, a client’s partner or ex-partner, who will know personal details about a client, might try and use this to get information out of the accountant they’re not entitled to. To avoid disclosing information to the wrong person, the practice must have measures in place for their staff to follow to make sure they identify the right person.
Next week we discuss how to become GDPR compliant in our third and final blog with Vincenzo Ardilio. You can check out our first blog here.