Background information on the General Data Protection Regulation legislation.
This content is not intended to constitute legal advice. Specific legal advice should be sought before taking or refraining from taking any action in relation to the matters outlined.
Please note: guidance on all aspects of the GDPR and how to implement it is not yet available from the ICO. It is expected to be available in 2018. ICAEW will then publish its own guidance for members around the same time as the ICO advice is released. In the meantime ICAEW is advising members to make themselves aware of the main changes introduced by the GDPR, assess what data they hold and to appoint a senior employee to oversee any changes they may have to make to ensure compliance with the GDPR. Regular visits to the ICO website for the latest information is also recommended.
Read our FAQs:
Please note this is interim guidance that will be updated (and tailored to meet the needs of ICAEW members) as we receive more guidance from the ICO.
If you have any concerns or questions about how GDPR may affect your business or practice, please get in touch. We will continue to gather feedback from members to create detailed advice which we will issue later this year.
The EU has introduced the GDPR to update and harmonise data protection practices across the EU. It will apply to all EEA countries and any individual or organisations trading with them. As it comes into force on 25 May 2018 (before the UK leaves the EU), UK individuals and organisations must ensure compliance with the new regime by then.
The Information Commissioner’s Office (ICO) and the government have confirmed that they expect UK individuals and organisations to adhere to the GDPR, as post-Brexit the UK’s data protection legislation (currently the Data Protection Act 1998 (DPA)) must meet the GDPR standard.
The GDPR is partly an update to meet the new challenges of the 21st century. It has done this by increasing protection for consumers and placing the onus on individuals and organisations to handle personal data correctly and securely.
Doing nothing is not an option, because if the UK were subsequently to repeal the GDPR, very many organisations would still have to comply with the GDPR. GDPR applies to processing of personal data where the controller or processor is in the EU, and/or offers goods and services (even if free) to, or monitoring activities of, EU data subjects.
As a start, you must evaluate whether your existing practices and procedures meet GDPR standards and then plan how you will address any shortcomings. This must be done in relation to any personal data you process or hold, whether on behalf of clients or your business. As a minimum, contract clauses on the sharing of data with others should be reviewed to check for compliance with the GDPR.
Your clients will also have to comply so it might be worthwhile checking that they are aware of these changes; supporting them in this may be an 'added value' opportunity for you.
The ICO website has issued the following generic guides that are good starting points for anyone wishing to understand the GDPR and the changes it is introducing:
A series of four webinars with commercial partners providing a range of practical advice to help an organisation become GDPR ready.