The new rules start on 25 May 2018 and provides additional rights to individuals in connection with their personal data held by third parties. The new rules concern how and when someone (an individual, sole trader, landlord, partnership, company, club etc) can process personal data on individuals (i.e. clients, employees and suppliers). The system is regulated by the Information Commissioners Office (ICO). Failure to comply can result in penalties of the higher of 20m Euro or 4% of global turnover.
GDPR applies to “controllers’ and ‘processors’. Controllers instructs how and why personal data is processed while processors act on behalf of controller. Under the new rules, it is now necessary to identify a lawful basis for processing data and to document that basis before the personal data is processed. Consent is required from the individual presumably in the form of an engagement letter for a client and a contract of employment for an employee.
A beach of personal data is the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. The ICO must be notified of a breach within 72 hours if it is likely to result in a risk to the rights and freedoms of individuals or may result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
ICO have produced a useful starting guide ‘Preparing for General Data Protection Regulation: 12 steps to take now’
In accordance with the above ICO document we have reviewed our records and created a document summarising the information held by Tax Data Ltd
Clients – data necessary for the completion of accounts and Tax Returns.
Employees – data necessary for payroll, pension and HR purposes.
Third parties – We are including a paragraph in correspondence seeking their consent to our holding their data.
All data is supplied by clients and third parties.
Data is shared with IT suppliers and HMRC
We advise clients of the data we hold on them through an annual engagement letter. Employees are aware of the data we hold as outlined in their contracts of employment.
We are seeking consent from non-clients included on our Tax Data mailing list and from suppliers where we hold personal data.
Published 16 March 2018.
Updated 12 April 2018.