UK GDPR – Data mapping and documentation

This helpsheet has been issued by ICAEW’s Technical Advisory Service to help ICAEW members to understand how data mapping and documentation can assist in meeting the requirements of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Detailed guidance is also available from the Information Commissioner’s Office (ICO).

Members may also wish to refer to the following related helpsheets:

• UK GDPR – Data processor or data controller?
• UK GDPR – Client files
• UK GDPR – Communicating safely with clients

The UK GDPR places a strong emphasis on accountability and governance, requiring comprehensive but proportionate governance measures that minimise the risk of breaches and uphold the protection of personal data. The accountability principle requires that firms demonstrate they comply with the principles and documentation will of course be essential in achieving this. Firms may be required to make such records available to the ICO on request.

In order to successfully document all its processing activities and comply with the accountability principle a firm will need to conduct a data mapping exercise.

Data mapping is about identifying what personal data a firm holds and reviewing policies, procedures, contracts and agreements to address areas such as retention, security and data sharing to ensure compliance with the UK GDPR.

As part of the exercise information is gathered on privacy notices, records of consent, controller-processor contracts, the location of personal data how personal data breaches will be identified. Policies and procedures are also established and training of staff considered.

The ICO has also produced extensive guidance on documentation as well as documentation templates for controllers and processors. Whilst it is not mandatory to use these specific templates, they are an excellent starting point.

Firms will need to appoint or nominate someone senior to oversee the data mapping process and take responsibility for data protection policies/procedures.

Care should be taken as to the title of this role however. A Data Protection Officer (DPO) is only required by the GDPR in specific circumstances and firms are advised to avoid appointing someone as a DPO unless this is specifically required. Firms for example may wish instead to refer to this person as Head of Privacy or Data Protection Manager.

Whilst not exhaustive, the following are some key areas for accountancy firms to consider as part of their data mapping.

• Have you got consent from existing marketing contacts to continue sending marketing emails?
• Do you make use of any subcontractors?
• Who has access to your client files? Why? Should they have access?
• What categories of personal data do you store? Why? Where?
• Do your staff know what a personal data breach is? Do they know who to report suspected breaches to? See the helpsheet UK GDPR - Data breaches.
• Why are you processing each category of personal data?
• Do you have an IT security policy? Does it cover all devices used by your staff including mobile phones / tablets?
• Have you reviewed all your contracts?
• What categories of individuals do you process the personal data of?
• Which software providers do you use? Do any of them have access to personal data you store? Are they UK GDPR compliant?
• Which lawful basis for processing do you use for each category of personal data in each system?
• Do you process any special category data?
• Are your staff fully trained on relevant policies?
• How do you transfer personal data between your client and the firm? Between staff within the firm? To other organisations e.g. HMRC?
• Are you processor, controller or joint controller (see UK GDPR – Data processor or data controller helpsheet)? Do you know who the controller or joint controller is?
• Do you use cloud storage? Where is the server located? Is the provider GDPR compliant?
• Have you updated your engagement letters, terms of business and privacy notices (see Engagement letters and privacy notices helpsheet)?
• Do you have more than one office? How will you maintain consistency within policies and procedures?
• If you employ staff, have you considered your UK GDPR compliance as a controller of your employees personal data?
• How will you deal with subject access requests?
• Have you reviewed employment contracts?
• What backup policies do you have in place?
• What are your retention periods for personal data? Why? Is this period necessary?
• Which individual rights are relevant to each category of personal data and type of individual?

The ICO is the regulator for data protection in the UK and has its own website and helpline.

ICAEW members, affiliates, ICAEW students and staff in eligible firms with member firm access can discuss their specific situation with the Technical Advisory Service on +44 (0)1908 248 250 or via webchat.