The General Data Protection Regulation was introduced with much fanfare in May 2018 but seems to have drifted off the radar as an area of major concern for many firms.
However Insight Training workshops and courses this Autumn have prompted a number of questions and queries from delegates. Here are our top five:
1. What impact has the pandemic had on GDPR. Has there been any relaxation of the rules?
None whatsoever! The requirements in respect of data access requests and ICO investigations of material data breaches are enshrined in law – so corners can’t be cut. With working practices changing now that so many of us are working from home, the ICO has issued some useful practical guidance which can be downloaded here. How many firms have updated their policies and procedures to reflect these working practices though?!
2. What impact will Brexit have on the regime?
It’s unlikely to have a significant impact on accountancy firms. Although an EU regulation, GDPR was transposed into UK law via the Data Protection Act 2018 largely with a view to making it ‘Brexit proof.’
It seems possible that after Brexit ‘Implementation Period Completion Day’ on 31 December 2020, new procedures might be required where personal information is transferred from the EU to the UK. However if the EU signs off our GDPR regime as fit for purpose (it’s officially called an ‘adequacy decision’) this is unlikely to be a requirement. Since the Data Protection Act 2018 mirrors GDPR this shouldn’t be an issue – unless things get political. Watch this space!
3. It is true that GDPR is ‘off the radar’ for professional bodies? What issues, if any, have they been raising?
ICAEW publishes a Practice Monitoring Report annually. Its 2020 report, feeding back on issues raised in 2019, can be accessed here. Data Protection was ICAEW’s number 2 issue in 2019, not surprising given that GDPR was still relatively new at that point. The main specific issues raised were quite easy ones to address though – failure to register with ICO and registration within the wrong tier.
4. We’re taking on a new client who insists that it’s a breach of GDPR to ask for a copy of a passport. Is this true?
It’s surprising how often this issue crops up – but it’s not true. ‘Compliance with legal obligation’ is one of the six ways to justify holding personal information and due diligence requirements are, of course, a cornerstone of the AML regime.
We often comment when presented with this issue that it would surely put you on guard and make you suspicious if a prospective client were unwilling to share such information. Would you even want to act?!
5. Given it’s all about personal data, presumably there are less GDPR issues with, say, electronic audit files?
This is true to a point, though audit files will typically contain some personal information (e.g. where wages and salaries testing is performed). However, professional body Codes of Ethics emphasise the importance of safeguarding confidential information whether it’s inside or outside the strict scope of GDPR so we always advocate that firms embrace the GDPR philosophy in all that they do.
As an aside, in view of the fact that GDPR is relevant where payroll testing is performed we always encourage firms to include all the evidence needed to ensure an adequate audit trail in this part of the file – but no more than is strictly required. This saves storing up problems if and when things do go awry.
Peter Herbert will provide updated insights into GDPR hot topics on 6 May 2021 (12.30-1.30) as part of our Spring 2021 ‘CPD Bites’ programme. For more information and to book on, click here.