.png)
Let’s consider how the GDPR will impact accountants, accountancy firms and bookkeepers.
The UK’s departure from the European Union has not changed anything as the EU GDPR has been adopted into UK law. This has allowed the European Data Protection Board to class the UK as adequate which allows data to be transferred across EU borders, seamlessly.
Where does the GDPR apply?
It applies to the processing of personal data. Personal data means data which relates to a living individual who can be identified from:
- the data; or
- the data and other information, which is in the possession of, or is likely to come into the possession of, the data controller – that is YOU and YOUR BUSINESS
- This includes CCTV footage
It also includes any expression of opinion about the individual, any indication of the intentions of the data controller or any other person in respect of the individual. Therefore, if you have an opinion about someone be it a client or a colleague, be very careful where you record it.
What is Personal Data?
The GDPR has added to the type of data that can identify a living individual. This reflects changes in technology. Therefore, as well as name, address, date of birth it now includes IP addresses, location data and cookie identifiers. Genetic data is also included. The GDPR covers both paper and electronic data. The GDPR, however, continues to apply to personal data within an automated system and to hard-copy documents that are contained in as ‘relevant filing system’ (meaning a structured set of personal data that can be searched by reference to certain criteria). The latter includes filing cabinets!
Please note the GDPR specifically excludes the processing of personal data if performed by a natural person for a purely personal or household activity such as the private use of social media.
What about the personal data processed by accountants and accountancy firms?
We know that accountants and accountancy firms typically process two different types of personal data: client data and company data.
- ‘Client data’ is personal data received from clients in relation to professional engagements and practice. This includes private client data and data relating to business clients employees and customers
- ‘Company data’ is personal data held by your business in relation to its own management, employees and affairs generally, including marketing databases.
What is Processing?
- obtaining, recording or holding information or data;
- or carrying out any operation on the information or data, including organising, adapting or altering, using, disclosing (by any means), combining with other data, blocking or removing in any other way from the record.
Does the GDPR only apply to digital processing?
This is a popular myth.
Paper records are also included if they are part of a ‘relevant filing system’. This means papers stored systematically, for example, in a filing cabinet are included but ad hoc paper files are not. However, if these ad hoc pieces of paper contain personal data that has yet to be filed, then they are in scope. Simply removing a file from the cabinet does not mean the data is out of scope of the GDPR.
You must ensure that they apply the same levels of diligence to paper records as you do digital records and that any decisions made regarding the lawful basis for processing, adhering to data protection principles and upholding data subjects’ rights include paper records. In a future article, I will talk about how you must observe the eight rights under the GDPR and how you must be able to demonstrate this compliance.
By Howard Freeman – Managing Director, Fortis Data Protection and Compliance
