General Data Protection Regulation
The General Data Protection Regulation (GDPR) came into force on 25 May 2018 and has replaced the Data Protection Directive. GDPR is designed to improve data privacy laws across Europe, to protect individuals’ data privacy and change the way organisations approach data processing.
We understand the importance of your personal data. It is very important to us that you have confidence in how we handle your financial and personal information and the steps we take to secure and protect your information (whether it is stored on our internal infrastructure or with our trusted third-party data processers).
How have we prepared for GDPR?
As an accountant and trusted business adviser, we hold and process personal data on behalf of businesses and individuals, meaning GDPR requirements have been thoroughly reviewed and policies put in place to ensure compliance for us and our clients.
Tasks we have completed in preparation for GDPR are:
Identifying personal data – We have completed a firm-wide information audit to document what personal information we hold, where it came from and who we share it with.
Purpose of holding data – All information held is requested for the purpose of supplying services and therefore we have identified and documented the purposes of processing all personal information held.
Retention periods – The work we complete is under the guidance of ICAEW and heavily regulated. Therefore we have reviewed and documented the retention policy of all personal information in line with legislation, storing data for no longer than is legally required.
Complete due diligence on 3rd party data processers – We use 3rd party data processers to assist in delivering a full service to our clients. We have completed due diligence on all of them and hold evidence of their security measures and GDPR compliance.
Data Subject Rights
GDPR gives individuals the right to access information on request so we have expanded our policies to ensure we can address any data requests by our clients.
We have prepared a policy to identify what constitutes a data breach that requires reporting and have set up a register to record any breaches should they occur.
We have held training sessions with our staff to inform them of policies and procedures we have in place. It also forms part of our induction process for anyone who joins the firm.