GDPR compliance
gwenb
Registered Posts: 42
I am currently registered with the ICO as a Data protector officer for my one-band-man accounting practice. Apart from producing documentation that shows how data is dealt with, is there anything else that I need to do to stay compliant?
Thank you.
Thank you.
1
Comments
-
This is a great question.gwenb said:I am currently registered with the ICO as a Data protector officer for my one-band-man accounting practice. Apart from producing documentation that shows how data is dealt with, is there anything else that I need to do to stay compliant?
Thank you.
I don't think the AAT are doing much to improve member's knowledge in this area.
You may need to keep a register in order to show that you are monitoring who's data you hold and the deadline to destroy their information, i.e. everyone has a right to be forgotten and you should not be holding onto it if it is no longer required. I believe their is an exemption that allows accountants to hold onto data for the 6 year HMRC investigation period.0 -
There is an article in the latest AAT magazine and the ICO has produced some useful checklists for small businesses.0
-
Thank you @MarieNoelle I will have a look at that.0
-
The tax and accountancy bodies (including AAT) are currently working on updating engagement letters to include the new GDPR (due early summer 2018).0
-
Interesting discussion on this subject on AWeb.2
-
AAT have some online CPD and a breakfast meeting in their London HQ coming up about this very topic1
-
London isn't that practical for me - I checked my local branch but they haven't organised anything on the subject. I guess it's probably early days.0
-
You should demonstrate that you use some sort of cloud system that allows the secure exchange of documents, e.g. payslips, tax returns, etc. These things shouldn't be emailed out. I include a link to an example: https://www.iris.co.uk/cloud-solution/iris-openspace/gwenb said:I am currently registered with the ICO as a Data protector officer for my one-band-man accounting practice. Apart from producing documentation that shows how data is dealt with, is there anything else that I need to do to stay compliant?
Thank you.
0 -
We have a category on our blog dedicated to GDPR so it's definitely worth keeping track of articles posted there.
0 -
I have just found out there was a webinar on the subject organised by the AAT.
Unfortunately it was today at 11.45 so missed it. This is the kind of information that would be worth sharing beforehand @AAT_Team. Will there be a recording that we can access?
2 -
I surely would have but I had not known about it until now either. Was it circulated in the newsletter?MarieNoelle said:I have just found out there was a webinar on the subject organised by the AAT.
Unfortunately it was today at 11.45 so missed it. This is the kind of information that would be worth sharing beforehand @AAT_Team. Will there be a recording that we can access?0 -
Hi @AAT_Team thanks for responding.
It wasn't in the latest AAT engage newsletter dated 22nd January and the Professional newsletter advertised the breakfast meeting in London but I can't see anything on the webinar
0 -
I'll be able to provide the recording so you won't miss out on it!
2 -
Thank you!AAT_Team said:I'll be able to provide the recording so you won't miss out on it!
0 -
I attended a Sage Sessions day on Tuesday and needless to say, one of the presentations was about GDPR.
It was a bit like the Graham Norton show but with a panel of "experts" rather than celebs taking centre stage. The host then posed questions which they all took turns in answering. Sadly there was no "big red chair".
Anyway, the crux of it was, I suppose, that you can make it as complicated or as simple as you like depending upon what systems you already have in place for data protection and whether they need "tweaking" or a complete overhaul.
One of the speakers was a director from PWC and they have things in hand. Mostly because they have the manpower and resources to throw at it.
I can see why most seem people seem overwhelmed by it (us included) and see it as a huge challenge. The practicalities are not helped either by the fact that many practices are also still gearing-up toward MTD for VAT. It's like having 2 sets of major roadworks happening at the same time within a 5 mile radius.
Reading between the lines, if you have the procedures in place then you're well on your way. The practicalities will follow on. It's not a Y2K scenario when you need need to panic by the 25 May if not everything is right by the morning of the 26th. The world will not end....
3 -
Useful feedback @TreadStone.
My view is that yes there is a lot of guidance out there but the practicalities of implementing GDPR in a micro practice are still a bit confusing.1 -
I am told this is best viewed in EI.0
-
I didn't know about this either!MarieNoelle said:I have just found out there was a webinar on the subject organised by the AAT.
Unfortunately it was today at 11.45 so missed it. This is the kind of information that would be worth sharing beforehand @AAT_Team. Will there be a recording that we can access?
I am still feeling completely overwhelmed by GDPR and still don't really know what I need to 'do'. Do I need to invest in encryption/pdf password protection so that I can still email payslips to clients? What should be included in my privacy notice and will a 'one size fits all' approach work or will each notice need to be tweaked depending on the systems we use for the services particular to that client? If a client asks to be forgotten but we are exercising right of lien over their records how do we achieve this? If a client fails to collect their accounting records and we no longer need the records because the work is complete so we can't hold on to them because they are no longer 'necessary' how do we proceed? To name a few!
I can read up on GDPR for hours and hours but how do we implement it specifically as accountants, especially small firms like mine?3 -
Exactly how I feel.Gem7321 said:
I can read up on GDPR for hours and hours but how do we implement it specifically as accountants, especially small firms like mine?
1 -
@MarieNoelle I have started a 'map' as advised by the ICO but I'm not even sure whether this needs to be done on a client-by-client basis, which would be mammoth, or generally as a practice. We could really do with some better industry-specific advice before long
2 -
In my opinion:Gem7321 said:
Do I need to invest in encryption/pdf password protection so that I can still email payslips to clients?MarieNoelle said:I have just found out there was a webinar on the subject organised by the AAT.
Unfortunately it was today at 11.45 so missed it. This is the kind of information that would be worth sharing beforehand @AAT_Team. Will there be a recording that we can access?
What should be included in my privacy notice and will a 'one size fits all' approach work or will each notice need to be tweaked depending on the systems we use for the services particular to that client?
If a client asks to be forgotten but we are exercising right of lien over their records how do we achieve this?
If a client fails to collect their accounting records and we no longer need the records because the work is complete so we can't hold on to them because they are no longer 'necessary' how do we proceed?
1) Yes, payslips should be password protected. You can't email the password to the client. Post or phone them the password. For accounts and tax returns, you would upload them into a password protected client portal like Iris Openspace.
2) Yes, I think a secure one size fits all approach will generally work as most (if not all) clients will have the same requirements/needs. However techno-phobic clients could create a problem here.
3) I think the needs/penalties/requireements of GDPR are greater than your needs under lien therefore you should return the client's records and pursue them using alternative avenues. Lien isn't the only way to get paid.
4) I believe 'necessary' in terms of tax preparation is 6 years under the tax legislation/HMRC guidance. Therefore as long as you don't keep the records for more than 6 years you should be fine. After 6 years post them back to the client, and put that in your letter of engagement.
I think we should all brainstorm as many questions as possible and thrash out the answers here and now.0 -
Secure document exchange: https://www.iris.co.uk/cloud-solution/iris-openspace/
0 -
"Rigorous security
No need to worry about protecting your data; our products offer the same levels of encryption and authentication you expect from online banking.
As the May 2018 GDPR deadline is fast approaching more and more accountants are using IRIS OpenSpace to securely exchange information with clients."
https://www.iris.co.uk/cloud-solution/iris-openspace/
0 -
To be honest, in my opinion, I think GDPR is well overdue. It's time all sensitive documents are password protected and businesses holding personal information get rid of it once the purpose has been fulfilled (otherwise there could be a data leak or data sale).0
-
I already use OpenSpace, the problem is clients have to agree to sign up to it and approve their documents and a lot of mine haven't because they don't trust the cloud. Hence why they get their payslips emailed and their accounts and tax returns are posted.
I have looked in to password protecting PDF's but don't like the hefty price tag that comes with adobe, does anyone know of any alternatives?0 -
Moneysoft does password protected payslips. They have a GDPR article here about password protection and how to do it: https://moneysoft.co.uk/support/general-data-protection-regulation-gdpr/
1 -
Moneysoft only costs £130+VAT per year: https://moneysoft.co.uk/prices/
For an unlimited number of clients.0
Categories
- All Categories
- 1.2K Books to buy and sell
- 2.3K General discussion
- 12.5K For AAT students
- 322 NEW! Qualifications 2022
- 159 General Qualifications 2022 discussion
- 11 AAT Level 2 Certificate in Accounting
- 56 AAT Level 3 Diploma in Accounting
- 93 AAT Level 4 Diploma in Professional Accounting
- 8.8K For accounting professionals
- 23 coronavirus (Covid-19)
- 273 VAT
- 92 Software
- 274 Tax
- 138 Bookkeeping
- 7.2K General accounting discussion
- 201 AAT member discussion
- 3.8K For everyone
- 38 AAT news and announcements
- 345 Feedback for AAT
- 2.8K Chat and off-topic discussion
- 582 Job postings
- 16 Who can benefit from AAT?
- 36 Where can AAT take me?
- 42 Getting started with AAT
- 26 Finding an AAT training provider
- 48 Distance learning and other ways to study AAT
- 25 Apprenticeships
- 66 AAT membership