Despite what you may think, GDPR is not the responsibility of just the IT department. It also has something to do with you and every department that takes in any personal info from individuals. It doesn’t matter whether it is payment info or contact info for marketing, GDPR applies and it applies for every department
As an accountant you will have access to either client records or customer records that were previously protected by the Data Protection Act of 1988 but, as of 25th of May last year, is now protected by the General Data Protection Regulation (GDPR).
What does GDPR mean for you?
Here’s a quick-fire run through of how things will change for you.
The larger your organisation the more data your systems will have to process. Depending on how much data it has to process, or whether it is a public authority, a Data Protection Officer may be necessary.
A data privacy impact assessment may be needed if your organisation works with particularly sensitive data.
What Do You BNeed to be Doing?
● Your organisation needs to be able to evidence that all contact data is being lawfully processed. Documentation is necessary to prove “lawful processing”.
● What is “lawful processing”? This means one of two things. Either direct consent, or what is necessary to fulfil a contract. Consent is what you’ll be dealing with most of the time.
● Consent is not taken for granted to mean consent for everything. Instead it is granular, meaning individuals have the opportunity to opt in and out of particular things.
● Fresh consent will be needed for any existing data, if there is no evidence that consent was granted in the first place.
● Pre-checked boxes are no longer allowed on webforms.
The Rights of Individuals
● GDPR offers individuals more rights than under the Data Protection Act.
● One of their rights is to be able to access their data and have it corrected.
● Amongst new rights is the right to be forgotten and the right to have their data directed elsewhere, as well as the right to have automated profiling using their data restricted.
What About Your Company Policies?
● The journey that data takes, as it comes in from individuals and makes its way around your company, should be mapped and understood so you can identify how permission was obtained.
● Update your internal data protection policy to incorporate everything discussed above.
● Make sure your internal data protection policy includes details on identifying data breaches, reporting and how they should be investigated.
What Else Can I Do?
Set up a group of relevant officers within your organisation to ensure that the accounting concerns are also represented within any audits and data mapping processes. Make sure you are up to date with all the changes occurring within your organisation and understand how those changes in data policy can affect how you manage the data as it filters through your department.