Save the date for FCSA Forum 2024 – Tuesday July 2nd in London


Countdown to compliance: preparing for GDPR in the real world

Written by FCSA Business Partner, FreeAgent.

With the General Data Protection Regulation (GDPR) coming into effect next month, is your practice ready to be compliant? Richard Grey, Head of Information Security at award-winning accounting software provider, FreeAgent, explains how the company is getting ready for GDPR.

Read the original article here.

While there’s a lot of helpful information out there about the General Data Protection Regulation (GDPR), at FreeAgent we’ve found that sharing knowledge has been the most valuable tool in preparing for the new legislation.

The Information Commissioner’s Office (ICO) is a great place to get started, but if you are already on your way to compliance, read on for some of the key learnings we uncovered on our journey, along with some top tips you may find helpful in your own practice.

Please note that the following tips are based on FreeAgents’ own interpretation of GDPR, which may or may not be applicable to your own business. This article should not be interpreted as legal advice.

1. Assess and audit your systems and processes

Auditing your current processes will give you a clear foundation to build upon, so take stock of your current situation and clarify your position under GDPR. This includes determining if and when your business is classed as a data processor or controller and deciding whether you need to appoint a Data Protection Officer.

2. Analyse the potential risks

You should now be able to identify any potential danger points, both physical and digital. For example, you may find there are opportunities for sensitive information to leave the premises, or for unencrypted data sent via email to be intercepted.

Some areas may not present an immediate compliance hazard but could pose a longer-term risk to your business. For example, using physical files to store data may give you a lot of manual work to do should someone wish to view a copy of their data.

If you use third-party systems, you should make sure they are GDPR compliant, and find out whether they can help you meet your own compliance obligations. For example, FreeAgent makes it easy to for you to respond to the rights of individuals whose data you process through updates to the application.

3. Identify what you need to update

Having completed your audit and identified risks, you should be in a good position to make a plan of action. Every business will be different, but some common areas are:

  • Marketing – Depending on how you decide to process your marketing post-May 25th (the GDPR compliance deadline), you may need to update data capture forms to allow people to opt out of marketing.
  • Employee data – Check that you are storing your employees’ data in the right place and only keeping what is relevant to your obligations as an employer. Minimising the data kept, how long it’s kept and who can access it are all best practice.
  • Policies and contracts – It’s likely you will need to update documents such as your Terms of Service, in which case you will also have to let your customers know that these are changing (see point 4 below).
  • Data access and deletion – If an individual asks for their data to be deleted, make sure you have a plan of how you would deal with this. Understanding what you can and cannot delete and knowing how quickly you are able to action such a request is essential.
  • What about a data breach? – If a breach occurs, you have 72 hours from the time of discovery to report it. Documenting a process for this will help relieve stress and provide structure. Preparing a holding statement may also be a helpful precaution.

4. Communicate, communicate, communicate!

Clarity and transparency are fundamental to GDPR. Make sure your whole team understands your obligations as a business and their contributions as individuals – this may require some internal education.

Helping your clients understand how you can support them with GDPR can also enhance your position as a trusted advisor.

5. Record it and don’t forget it!

You’ve done a lot of work to stay compliant – make sure you don’t lose track of it! Recording your progress is valuable evidence should the ICO pay a visit. Regular training, auditing and purges of data, along with continually updating documentation is the best way to ensure your business is in the strongest position for GDPR.

FreeAgent provides award-winning online accounting software for small business owners and their accountants. Get in touch to find out how FreeAgent can support you and your clients.