In this extract from a new and informative guide ‘Preparing Your Practice For GDPR’ brought to you by MyFirmsApp, the the worldwide number one provider of intelligent Apps to professional firms in 11 countries, we look at what GDPR means to your practice and detecting and responding to data security breaches.

Individual rights

GDPR builds on and expands individuals’ existing rights and introduces some new rights. Notably, the firm cannot refuse or charge for complying with rights requests unless manifestly unfounded or excessive and requests must be handled within one month – this can be extended up to two.
1. The rights of access and data portability
2. The right to rectification
3. The right to erasure
4. The rights to object and/or to restrict processing
5. Rights in relation to certain solely automated decisions

Next steps

1. Check procedures and determine how you would respond if request is made
2. Consider whether need to revise procedures and make any changes
3. Analyse whether systems are able to locate specific personal data and delete or anonymise it
4. If there are no policies, create, implement and periodically review and train staff

Data security and breaches

What is a data breach?

An incident leading to destruction, loss, alteration, unauthorised disclosure of, or access to personal data and this is more than the loss of personal data or getting hacked, it includes where data is sent to the wrong recipient. Controllers must notify the ICO within 72 hours of becoming aware of a data breach and in some cases, individuals. According to a recent study data breaches in the financial services sector increased 937% year-on-year from 2015 to 2016 so it is vital that practices review their existing IT security measures and check whether they meet the highest security settings of “data protection by design and default” which the GDPR requires for personal data. Any breach caused by human error or lax security measures threatens the accountant client relationship.

Practices need to ensure they have the technologies and processes in place that will enable them to detect and respond to a data breach. This will undoubtedly involve changes to internal data security policies and these will need to be clearly communicated to staff with additional training to ensure data breaches are properly understood and can be easily recognised.

Next steps

1. Check procedures and determine how a data breach would be handled
2. Given timescales for reporting, it is important to have robust detection investigation and internal reporting
3. Policies must be implemented – relevant personnel must be trained and required to comply
4. Staff must understand what constitutes a data breach and that this is more than just loss of personal data