Data protection and privacy are matters of professional concern to accountants in practice, industry or commerce.
Data protection now the UK has left the EU: February 2021 update
The EU Commission has issued a draft decision that the UK will be granted a full adequacy decision which will enable data flows from the EU/EEA to continue as they did when the UK was in the EU. However the European Data Protection Board still has to formalise this and will not do this before it has consulted with member states .
In the meantime members can continue to receive data from the EU/EEA as outlined in our January 2021 update but are reminded that these are temporary arrangements in place until a final decision on adequacy is determined or 30 June 2021, whichever is soonest.
We will update members when we can but members are also advised to regularly check the ICO website for details of the latest developments.
There are a number of pieces of legislation with which members should comply including:
- Data Protection Act 2018 (which incorporates the GDPR into UK law);
- Data Protection (Charges and Information) Regulations 2018;
- 2003 Privacy and Electronic Communications Regulations; and
- Freedom of Information Act 2000.
October 2020 Update: Data Protection and Brexit
When the transition period ends on 31 December 2020, the UK will become what is known as ‘ third country’ by the EU. This means UK organisations or individuals cannot assume they can continue to process the personal data of EU data subjects in the same way as now.In particular:
- The transfer of the personal data of EU data subjects from the EU to the UK will not be allowed unless there is an ‘adequacy decision’ or one of the alternative ‘safeguarding mechanisms’ approved by the EU are in place.
- The ‘one-stop shop’ principle will no longer apply and so any organisation that does not have a presence in the EU but processes the data of EU data subjects will need to make alternative arrangements.
Data Protection Act 2018
Data protection legislation in the UK changed when the General Data Protection Regulation (GDPR) came into force on 25 May 2018. At the same time the Data Protection Act 2018 (DPA 2018) came into force, replacing the Data Protection Act 1998 (DPA 98).
The GDPR applies to any individual and organisation trading within the EEA that may store or process personal data, irrespective of the size or function of the organisation. For more details on how the GDPR affects members see our FAQs: What is the GDPR?
The DPA 2018 incorporates the GDPR into UK law as well as adding derogations allowed by the GDPR and new requirements covering law enforcement data and national security data as follows:
- Implements the GDPR standards into UK law across all general data processing.
- Gives exemptions from the GDPR for certain organisations undertaking the following activities: journalism, research, financial services and legal services.
- Sets 13 as the age when children can give consent for the online processing of their personal data.
- Gives a new right for those aged 18 years or older to have their data deleted if there are no legitimate grounds for retaining it.
- Introduces a bespoke regime for the processing of personal data by the police, law enforcement and criminal justice agencies.
- Provides new safeguards to enable the intelligence agencies to manage security threats.
- Gives additional powers to the Information Commissioner including the ability to set fines in line with the GDPR (ie the higher of 20m euros or 4% of the global annual turnover for the most serious breaches).
As well as retaining the offences included in the DPA 98, two new offences have been added. These are:
- intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data; and
- altering records with the intent to prevent disclosure.
For more details on what the DPA 2018 means for you please see the Information Commissioner’s Office’s (ICO) guide.
Data Protection (Charges and Information) Regulations 2018
The Data Protection (Charges and Information) Regulations 2018 introduced a new 3 tier fee structure for data controllers replacing the registration (notification) fee payable under the DPA 98. Under the new rules any organisation that determines the purpose for which personal data is processed (controllers) must pay a data protection fee unless they are exempt.
Privacy and Electronic Communications Regulations (PECR)
Freedom of Information Act 2000 (FOIA)
The Freedom of Information Act 2000 obliges public authorities to publish certain information about their activities; and members of the public are entitled to request information from public authorities. It is based on the principle that people have a right to know about the activities of public authorities, unless there is a good reason for them not to.
The FOIA designates a wide range of bodies as public authorities. The Secretary of State, however, may designate as a public authority for the purposes of the FOIA an entity that is providing, under a contract made with a public authority, a service whose provision is a function of that authority. In this case if a public authority, for example, outsources its internal audit services to a member, then the member could become subject to FOIA in respect of the outsourced (ie internal audit services in this example) service only.
For additional ICAEW guidance on the implications for members see:
If you have any questions on how the above will affect you, please contact our Technical Advisory Service.
The Information Commissioner’s Office (ICO) has guides to the following: