With only six months to go until GDPR becomes law, you have just enough time to prepare your practice for this significant change. Liz Smith from Lugo discusses the key points every practice needs to prepare both their mindset and procedures for the new data privacy rules.
Small businesses – GDPR affects you too
The GDPR replaces the current Data Protection Act and is regulated by the ICO in the UK. The GDPR strengthens the rules around personal data and requires organisations to be more accountable and transparent. It also gives people greater control over their own personal data.
As trusted business advisors to your clients, you must have sufficient knowledge of this new legislation to be able to provide sound advice. SMEs need to be ready when the new law comes into force, but they may struggle to know where to start as they have less time and money to invest in getting it right.
How to ensure your practice stays compliant
There is no quick fix to GDPR compliance. No one piece of software is going to provide everything you need for GDPR. Put simply, the point of this legislation is to put people’s personal data back within their control.
We’ve developed a four-step guide for accountants and SMEs, designed to set you on the right track:
Four key stages of GDPR compliance
1. Education and Training
Make sure key people in your firm are aware the law is changing. Appreciate the impact this is likely to have and identify areas that could cause compliance problems. You will need to review many of your procedures including your internal data protection policies, staff training and handbook, internal audits of processing activities and internal HR policies. You must explain your lawful basis for processing personal data in your privacy notice.
2. Systems and data
Your practice must document what personal data you hold, where that data came from and who it is shared with. Any data breach must be reported to the ICO within 72 hours. Organise an information audit across the firm to identify the data that you process and how it flows into, through and out of your organisation.
Designate responsibility for data protection compliance to a suitable individual or group within the organisation. Review how you seek, record and manage consent. You should view consent as a dynamic part of your ongoing relationship of trust with individuals, not a one-off compliance box to tick and file away. To reap the benefits of consent, you need to offer ongoing choice and control. When consent is used properly, it helps you build trust and enhance your firm’s reputation.
3. Security
All personal data must be kept secure through appropriate technical and organisational measures. You must consider physical as well as systems security to minimise the risk of a personal data breach. Review your disaster recovery plan and ways of transmitting data to and from clients securely such as encryption or by use of a secure portal.
4. Compliance
Plan how you will handle subject access requests to take account of the new rules. In most cases you will not be able to charge for complying with a request, and you’ll have a month to comply. You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
What should I do?
At Lugo, we support SMEs with their IT and cyber-security. We are running series of GDPR Seminars in November in Glasgow, Aberdeen, Dundee and Edinburgh where you’ll be able to interact with GDPR experts in the legal and data security field and come away with an action plan for compliance. These seminars are open to you, your colleagues and your clients.
About the company
Good information handling makes good business sense. You'll enhance your business's reputation, increase client and employee confidence, and by making sure personal information is accurate, relevant and safe, save both time and money.
Do not leave your preparations until the last minute.
Book onto our Lugo GDPR Seminars today or call Liz Smith on 03300 242 242 for more information.
This blog is one of a series of articles from our commercial partners.
The views expressed are those of the author and not necessarily those of ICAS.