When it comes to the accountancy industry, a whole lot of sensitive client information is being dealt with on a daily basis.
Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular if the data subject is a child.
Chinese internet titans are now testing a system that assigns every citizen a social credit system that goes beyond a regular credit rating of a person's finances and payment history by evaluating their behavior and preferences as well as their personal relationships. "Personal data" in this context means data relating to a living individual who can be identified from that data, or can be identified from that data taken together with other information that we hold or we may be likely to obtain.
"Threats of hefty fines, as well as the increasingly empowered position of individual data subjects tilt the business case for compliance and should cause decision-makers to re-evaluate measures to safely process personal data". It includes basic information like names, any identification numbers, but also can include less obvious information, particularly information which can be matched with other information to enable identification, such as certain types of location information, or online identifiers such as IP addresses, or a pseudonym.
The GDPR speaks of Data Protection by Design and Default.
Client data: Personal data received from clients in relation to professional engagements and practice.
Financial Services - Financial organizations often maintain huge stockpiles of PII data on account holders.
According to ICAEW, manual and paper records are also included in GDPR if they are part of a "relevant filing system" i.e papers stored systematically in a filing cabinet are included but ad hoc paper files are not. Make sure they confirm in writing whenever they do this as this will give further protection.
"For South African organisations, if the GDPR applies to you, consider how you can combine your GDPR and Protection of Personal Information Act compliance programmes, as numerous requirements are similar (although there are some differences)".
How can I prove accountability?
The survey also asked SMEs about the stage of GDPR compliance they were at.
In addition to that, minimal human interaction is required to supervise it.
Additionally, it is advised for businesses to demonstrate the suitability of their systems.
Jourova sought to reassure smaller firms anxious about adapting to the new rules that carry fines for those in breach.
From a privacy perspective, data protection impact assessments (DPIAs) can help identify, assess and mitigate or miniFundi, mise privacy risks. As such, your accountancy firm must be aware of these and set up policies and procedures to facilitate them.
During the registration process, the attendee has a right to opt out.
Having the answers to these questions will protect you from any unpleasant surprises in the future.
So far, the biggest perceived effect of the most important data-privacy law ever has been a sharp increase in emails from social networks and web services alerting me that those endless contractual walls of text you thoughtlessly click OKAY on - privacy policies, data policies, and/or terms of service - will change, majority conspicuously on the same date, May 25, 2018.
So, are you GDPR-ready?
Another important requirement under GDPR is that customers must be able to decide with knowledge, from a text that is clearly explained, what they are committing to and what a company will do with their data.