ICAEW.com works better with JavaScript enabled.

How to prepare for GDPR

Read one firm's journey to becoming ready for the implementation of the new General data Protection Regulation (GDPR) on 25 May 2018.

The European Union’s GDPR ((EU) 2016/679) has been looming on the horizon for some years and will apply from 25 May 2018. Like other EU regulations, the GDPR is intended to harmonise EU laws, but derogations for member states allow some flexibility. This has led to variations across national implementations.

Definitive guidance is still emerging from national data privacy authorities, such as the UK Information Commissioner’s Office (ico.org.uk) and the French Commission Nationale de l’Informatique et des Libertés (cnil.fr). This drip feed has impeded the early preparations of affected organisations and many remain in varying stages of un-readiness.

In January 2018, when over 500 attendees at an ICAEW webinar on GDPR were asked about their preparations, 1.3% declared their organisation to be “nearly ready”, 38.5% felt they were “making good progress”, 45.6% had ‘not yet started’ and 12.5% admitted that they did “not have a clue”. During the webinar they asked 170 questions (see box).

One firm’s GDPR

The UK firm MHA Macintyre Hudson seems to fall into two of these categories: it’s making good progress and it’s nearly ready. The firm began its GDPR preparations in the summer of 2017 by engaging lawyers EMW to provide it with a basic understanding of GDPR, so that the firm could assess what it needed to do to become GDPR-ready.

To steer the firm’s processes during the transition, audit compliance partner Andrew Moyser was appointed as the firm’s data protection officer (DPO) and he has led on GDPR, reporting to the board. He says: “We didn’t want our preparations to be an IT-based project – and it has turned out to be so much more than that.”

Moyser has worked with IT, marketing and many other parts of the firm across service lines and offices. After a data mapping exercise “to show where data sits”, MHA Macintyre Hudson looked in more detail “to understand what is being stored, for how long and how securely” and assessed what is needed for GDPR compliance. “Then we started fixing a few things that need to be fixed,” he says.

The GDPR project has been an eye-opener for both Moyser and MHA Macintyre Hudson. “It’s taken us into areas that are not about data protection, but about systems, procedures and how we run as a firm,” said Moyser. It has also revealed opportunities to improve some processes and rationalise some of the software used by MHA Macintyre Hudson. “It’s been incredibly enlightening and insightful. A very worthwhile process.”

This article was original published under the title "Closing the gap" in Audit and Beyond, April 2018.

Find out more

Members of the Audit and Assurance Faculty, IAAE and subscribers to Faculties Online

Read the full article: Closing the gap

Non-Members

To read the complete article, subscribe to Faculties Online or join the Audit and Assurance Faculty and get access to this article in full, plus all future publications, events, webinars and services.