(c) Institute of Chartered Accountants of Scotland. Contact ICAS for permission to reproduce this article., Business Management

How to prepare for GDPR

By David Menzies CA, Director of Practice, ICAS

With just under three months remaining until the General Data Protection Regulations (GDPR) come into effect in the UK on 25 May 2018, David Menzies looks at how firms can be preparing for GDPR and how ICAS will provide support in this area.

By now, all practitioners have hopefully at least heard the phrase GDPR and appreciate that despite only being four letters there is a huge significance to them.

GDPR is the shorthand reference to EU Regulation 2016/679 which must be brought into effect by EU Member States by 25 May 2018.

This is being done in the UK through a new Data Protection Act 2017 which is currently making its way through Westminster as the Data Protection Bill. The Data Protection Act 1998 will in due course be repealed.

Preparation for GDPR will fall broadly into four areas:

1. Systems and data

Your practice must understand what personal data you hold, where that data comes from, what it is used for and who it is shared with.

An information audit across the firm is a useful way to identify what data is within the practice and how it flows into, through and out of the practice.

Review how consent is sought, recorded and managed.

Consent should be considered as a dynamic part of an ongoing relationship with individuals and not a one-off compliance box to tick.

2. Education and Training

Key people within the practice need to be aware the law is changing.

There also needs to be a thorough understanding of the impact this is likely to have and identify areas that could cause compliance problems.

Procedures will require to be reviewed including internal data protection policies, staff training and handbooks.

3. Compliance

The lawful basis for processing personal data will need to be set out in your practice privacy notice.

The timescale for responding to subject access requests will reduce to one month and therefore plans should be put in place to identify and respond to requests.

Data protection breaches will have to be reported within 72 hours and again plans will have to be put in place to detect, report and investigate a personal data breach.

4. Security

All personal data must be kept secure through appropriate technical and organisational measures.

Physical as well as systems security should be reviewed to minimise the risk of a personal data breach.

Disaster recovery plans and ways data is transmitted to and from clients should be reviewed.

This article was originally published by ICAS.