In this extract from a new and informative guide ‘Preparing Your Practice For GDPR’ brought to you by MyFirmsApp, the the worldwide number one provider of intelligent Apps to professional firms in 11 countries, we look at what GDPR means to your practice and the role of controllers and processors.

What are controllers and processors?

The GDPR makes it a requirement that organisations appoint a data protection officer (DPO) in some circumstances:
• If a public authority (except for courts acting in their judicial capacity).
• If it carries out large scale systematic monitoring of individuals (for example, online behaviour tracking).
• If it carries out large scale processing of special categories of data or data relating to criminal convictions and offences.

A single data protection officer may be appointed to act for a group of companies or for a group of public authorities, taking into account their structure and size. Any organisation is able to appoint a DPO.

A Controller is ‘The natural or legal person, public authority, agency or other body which, alone or jointly with others determines the purposes and means of the processing of personal data’ (Art 4(7) GDPR).

Points to note:
Businesses are controllers for HR/Business/Consumer data.
Controller has overarching responsibility.
Service providers are generally clients’ ‘processors’.

A Processor is ‘The natural or legal person, public authority agency or other body which processes personal data on behalf of the controller (Art 4(8) GDPR).

Points to note:
Service providers are normally processors but can be controllers if use data for own purposes
Service providers will be both controllers and processor for different types of data
GDPR imposes some direct liability on processors

Records of data processing activity

The law requires:
• Maintenance of internal records of data processing activities (if >250 employees or “higher risk” processing etc.).
• Records must include range of information in the GDPR (e.g. purposes of processing, data categories, recipients, data
retention periods, security measures).
• ICO can request the records at any time.

Accountancy practices should undertake a detailed review of their personal data processing activities and should assess the legal basis for processing personal data (e.g. consent, legitimate interest, compliance with law or to perform a contract) and keep a record of the basis. Firms relying on consent from individuals to process their personal data will need to meet the new, higher standard requiring consent to be informed, specific, freely given, unambiguous and revocable. Pre-ticked boxes, silence or inactivity will not meet the new standard. Accordingly, firms should review client care letters and marketing materials and, where appropriate, ensure consent is renewed.

Next Steps

Consider how client consent was given for processing purposes and recognise that pre-ticked boxes or silence will no longer constitute consent. Look at preparing new standard templates to obtain consent for marketing purposes, which clearly explain how the data will be used and for how long it will be stored.

1. Implement an internal record of data processing activities.
2. Document what personal data is held, where it came from and who it’s shared with.
3. Take advantage of existing HR systems and databases.
4. Depending on volume and complexity of data processing, consider carrying out a data audit.