The General Data Protection Regulation (GDPR) coming into force in the EU from 25 May 2018 will apply to everyone dealing with personal data information, stored online or on paper. Professional accountants that currently deal with collecting, storing and processing personal data in relation to clients, employees and subcontractors will be directly impacted by these requirements.
Accountancy Europe has released a factsheet on GDPR to explain the changes and provide examples in practice in order to help accountants understand how the legislation will impact their work.
Accountants collect and store information related to the identity of a new client to comply with their Customer Due Diligence requirements under the Anti-Money Laundering Directive. The updates mean that practitioners will have to document more thoroughly and inform the data subject, from which the personal information is collected to adhere to their data rights. Practitioners involved in big data analytics could be considered to be high risk activity.
The GDPR also introduces rules for when personal data is processed beyond its original purpose, requiring controllers to properly document the decision and describe factors leading up to it. GDPR introduces obligations and increased penalties for non-compliance which could exceed €10m. Certain data breaches can result in fines of up to higher than €20m, or 4% of global turnover.
The GDPR regulation replaces the EU Data Protection Directive adopted 21 years ago. GDPR has the dual purpose of taking changes in the personal data landscape into account as well as providing a more consistent regulatory framework across the EU.
Additionally, a Google funded paper estimated that the cost of an average SME to implement GDPR could be up to €7200 per year.
The European Union Agency for Network and Information Security (ENISA) published guidelines to help SMEs adopt a risk based approach for the security of the personal data they process, to assess security risks and to help SMEs understand the context. The ENISA also proposed organisational and technical security measures compliant with GDPR.
When the UK (or other Member States) leaves the EU it will be considered as a ‘third country’ and any data controllers processing data between them will have to revise their current data processing practices.
The USA however, is allowed to transfer data with the EU when the companies are part of the Privacy Shield. The Privacy Shield framework designed by the USA Department of Commerce and the European Commission provides companies with a way to comply with data protection requirements when transferring personal data from the EU to the USA under EU law. Alternatively they can transfer data when using other authorised means for data protection, such as through contractual clauses. This EU and USA Privacy Shield is currently being challenged as it allegedly provides insufficient privacy protection.
The Accountancy Europe data protection rules factsheet can be found here.
The ENISA guidelines for SMEs can be found here.