Last minute GDPR compliance checklist for accountants and bookkeepers

aat comment

The compliance date for GDPR is fast approaching.

In an ideal world all processes would have been recorded, and all notifications written. However, this is not an ideal world, and though training may have been completed, and notes made, action towards compliance may yet need to be done.

Before going any further, just a note on staff involvement. All staff will need to be trained and informed of the processes and procedures, so why not involve them from the start? Their input will make the task easier for the Data Controller and/or senior manager, and they will ‘buy into’ the processes more readily, since they were involved at their inception.

So here’s a quick round-up of what needs to be done before May 25.

Personal data policy

Inevitably payrollers, agents and licensed accountants and bookkeepers will have client, contractor and employee personal data. This is needed to process pay or process tax and national insurance liabilities. However, what is not needed to process pay and self-assessment, but is sometimes captured, is the special category data.

Special category data

This type of data used to be called ‘sensitive’ data and includes such information as ethnicity, race, political affiliations, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life or sexual orientation.

If any of his information is captured by the system, then it is necessary to analyse whether there is a need for the data. If there is not, delete the data and shred the files immediately.

Personal data shared with third parties

If any data has been shared with any third parties then not only do you need to confirm that the organisation is GDPR compliant, but also, any amendments made to the personal data held within the organisation must be communicated to the third party.

Actions to take now

  • Audit personal data held.
  • Document process for updating personal data.
  • Document process for informing third parties of personal data amendments.

The process could be written or be in flowchart form. However, it does need to be documented.

Personal data storage policy

Identify where the personal data is held, whether electronically or in hard copy form.

If the data is held remotely, for example, in the cloud, then assurances about privacy must be sought from the cloud owner. These must include processes and safeguards being in place to protect the personal data from any data breaches.

Similarly, if the data is held in-house safeguards must be in place. It may be that all personal data such as client information is held on a removable hard drive or on an internet-disabled computer. Whatever means are used, restrict access to the device by physical and electronic means.

Another area of concern is whether it is possible to copy personal data onto a moveable storage device, for example a USB stick or downloaded onto a laptop. Again, physical and electronic methods should be used to minimise any data breach.

If the data is held in hard copy, that is, paper based, then again safeguards must be in place. First, ask whether there needs to be hard copies? If so, is the data secure? Can it be locked and protected against unwanted access?

Whatever the method used it must ensure the safety of all personal data stored.

Actions to take now

  • Audit storage facilities for personal data, identifying the areas where it would be possible for someone to gain unauthorised access to the data.
  • Restrict access to the personal data by encryption, password protected or physically limiting access to the device.
  • Document the procedures for gaining, updating and transferring personal data within the organisation, and to third parties.

Personal data retained policy

GDPR states that personal data should be kept for ‘no longer than is necessary for the purpose you obtained it for’.

As payrollers, agents and licensed accountants and bookkeepers we have a legal obligation to hold data for a minimum requirement, but beyond that, what is necessary? How is ‘necessary’ defined? The easiest way to decide is probably to comply with the legal requirements, but, if data is held for longer, document the reasons why.

Actions to take now

  • Document any reasons why personal data is retained for longer than is legally required.

Personal data transmission policy

Payrollers, agents and licensed accountants and bookkeepers regularly send personal data via electronic means.

Some software programs have encrypted communication channels built into them, but others do not. Basic Payroll Tools (BPT) for example does not produce payslips, therefore these must be created and transmitted to the employee by the payroller.

To protect the data in these and similar circumstances

  • Password protect the document using a non-formulaic (random) password.
  • Send the document to one of the employee’s email addresses while sending the password to another email address held by the employee (perhaps payslip to the work email address and the password to the private email address). It may be incumbent on the employee to open an email address just for this use.

Actions to take now

  • Document the above policy.

Personal data deletion policy

Personal data should be deleted as soon as possible. Both hard and electronic copies should be shredded. ‘Binning’ or deleting documents and files is no longer enough.

Actions to take now

  • Document the policy on personal data held in paper and electronic format.
  • Investigate and possibly invest in electronic file shredder software.

Communicate with your clients immediately

  • Write to clients outlining the organisation’s policies regarding the collection, retention, storage and deletion of personal data.

Longer term actions

  • Monitor compliance with the policies.
  • Regularly train staff.
  • Keep reviewing the policies to make sure that they are still relevant and suitable.

A quick mention about anonymisation and pseudonymisation. Though there may be little use for anonymised data (permanent deletion of any personal data), pseudonymised data is more useful – as long as the encryption key is kept separate from the data. This is an alternative way of holding and transferring personal data while adhering to GDPR.

AAT Comment has a dedicated GDPR page offering updates and guidance.

Julie Hodgskin is a fellow member of AAT, runs a licensed accounting practice and is a technical materials author for CIPP.

Related articles