GDPR FOR ACCOUNTANTS: YOUR QUESTIONS ANSWERED

Transcription

1 ICAEW BUSINESS LAW / IT FACULTY FAQs GDPR FOR ACCOUNTANTS: YOUR QUESTIONS ANSWERED Business Law /IT Faculty FAQs are published by ICAEW s Business Law team and the IT Faculty. GDPR fr Accuntants: Yur Questins Answered is a series f FAQs designed t prvide accuntants practical guidance n the changes t data prtectin legislatin arising frm the General Data Prtectin Regulatin (GDPR). This cntent is nt intended t cnstitute legal advice. Members are advised t seek specific legal advice befre taking r refraining frm taking any actin in relatin t the matters utlined GDPR: WHAT DOES IT MEAN FOR ACCOUNTANTS? Intrductin This guide is designed as an intrductin t the GDPR fr members and member firms and explains what the changes mean fr accuntants. It is part f a series designed t answer the questins that members have been asking abut the GDPR. These include What is the GDPR? an verview f the key terms and cncepts f the GDPR and A GDPR Checklist suggests the key steps members shuld take. Mre FAQs and helpsheets are available n the ICAEW GDPR webpage. It is nt definitive guidance n all aspects f the GDPR. The Infrmatin Cmmissiner s Office (ICO) has issued sme pieces f guidance and will cntinue t d s. Members are, therefre, advised t regularly check the ICAEW and ICO webpages fr the latest infrmatin and guidance frm the ICO and the EU s Article 29 Wrking Party. In additin the ICAEW s Essential Guide t GDPR is a useful starting pint fr members and ICAEW s dedicated GDPR webpage has mre infrmatin and links t further resurces. If yu have any cncerns r questins abut hw the GDPR may affect yur business r practice that are nt addressed here then please cntact ur Technical Advisry Service. If in dubt, members are advised t seek legal advice as this cntent is nt intended t cnstitute legal advice. Specific legal advice shuld be sught befre taking r refraining frm taking any actin in relatin t the matters utlined. What is the GDPR? The GDPR is the General Data Prtectin Regulatin and came int frce n 25 May It is an verhaul f existing EU legislatin n data prtectin, nt a new apprach. It replaces the UK s Data Prtectin Act 1998 (DPA 98). It will apply t all EEA cuntries and any individual r rganisatins trading with them. As it cmes int frce n 25 May 2018 (befre the UK leaves the EU), UK individuals & rganisatins must ensure cmpliance with the new regime by then. Furthermre, the new UK Data Prtectin Act 2018 incrprates all f the GDPR as well intrducing sme new prvisins. This is s the UK will be GDPR cmpliant pst Brexit.

2 An verview f the impact f the GDPR In this sectin we will cnsider hw the GDPR will impact members and member firms. This shuld be read in cnjunctin with What is the GDPR? (fr definitins f the key terms and cncepts) and A GDPR Checklist (fr practical tips). Please nte: this is a living dcument and will be amended as we receive mre guidance frm the ICO. Des the GDPR still apply just t Persnal Data? Yes. As befre persnal data means data which relates t a living individual wh can be identified frm: the data; r the data and ther infrmatin which is in the pssessin f, r is likely t cme int the pssessin f, the data cntrller. It als includes any expressin f pinin abut the individual, any indicatin f the intentins f the data cntrller r any ther persn in respect f the individual. What is nw included as Persnal Data? The GDPR has added t the type f data that can identify a living individual t reflect changes in technlgy. S as well as name, address, date f birth it nw includes IP addresses, lcatin data and ckie identifiers as well as genetic data. What is als new is that the GDPR cvers bth paper and electrnic data. The GDPR, hwever, cntinues t apply t persnal data within an autmated systems and t hard-cpy dcuments that are cntained in as relevant filing system (meaning a structured set f persnal data that can be searched by reference t certain criteria). Please nte: the GDPR specifically excludes the prcessing f persnal data if perfrmed by a natural persn fr a purely persnal r husehld activity such as the private use f scial media. What abut the persnal data prcessed by accuntants and accuntancy firms? Accuntants and accuntancy firms typically prcess tw different types f persnal data: client data and firm data. Client data is persnal data received frm clients in relatin t prfessinal engagements and practice. Firm data is persnal data held by a firm in relatin t its wn management, emplyees and affairs generally, including marketing databases. The GDPR will nt change this. Are there any changes t the definitin f prcessing? N. As under the DPA prcessing means: btaining, recrding r hlding infrmatin r data; r carrying ut any peratin n the infrmatin r data, including rganising, adapting r altering, using, disclsing (by any means), cmbining with ther data, blcking r remving in any ther way frm the recrd. Des the GDPR nly apply t digital prcessing? N. Manual/paper recrds are als included if they are part f a relevant filing system. This means papers stred systematically, fr example, in a filing cabinet are included but ad hc paper files are nt. Members shuld ensure that they apply the same levels f diligence t paper recrds as they d digital recrds and that any decisins made regarding the lawful basis fr prcessing, adhering t data prtectin principles and uphlding data subjects rights include paper recrds. Des the GDPR create a cnflict with the ICAEW s cde f Ethics and the cncept f client cnfidentiality?

3 N. The cre requirements fr prfessinal cnfidentiality and integrity will apply in all cases. What are the GDPR s data prtectin principles? Is this a change? As with the DPA, the GDPR stipulates that the prcessing f persnal data must be in accrdance with the data prtectin principles (see FAQs - What is the GDPR?). These have nt changed, althugh the principle f accuntability has been added. Hw can I prve accuntability? Under Article 5(2) f the GDPR cntrllers will be respnsible fr, and must be able t demnstrate, cmpliance with the GDPR s data prtectin principles. This is the accuntability principle. It means that internal mechanisms and cntrl systems are put in place t ensure cmpliance with the GDPR and there is (dcumentary) evidence t prve this. This evidence may need t be prduced t external stakehlders, including supervisry authrities (such as the ICO in the UK). Members shuld, therefre, have written plicies and prcedures set ut in a Data Prtectin Plicy and all staff will need training (apprpriate t their rle) t ensure they understand these plicies and prcedures. The plicies and prcedures will need t be regularly updated, as will staff training. The ICO has indicated that staff training shuld be repeated at least every tw years. Demnstrating that the business has sught cnfirmatin f the suitability f their systems will als prvide valuable evidence. Members are advised t cnsider the varius schemes available that can be used t demnstrate this such as the Natinal Cyber Security Centre s Cyber Essentials and Cyber Essentials Plus r IASME and ISO Are the lawful bases fr prcessing the same? As under the DPA, the GDPR stipulates that befre yu can prcess data yu must establish that yu have a lawful basis fr ding s (see What is the GDPR?). The GDPR, hwever, states that yu must identify upfrnt the lawful basis, dcument the reasning and infrm the data subject f it. Members will therefre need t decide which f the lawful bases are applicable, dcument this and infrm the data subject (via a privacy ntice, engagement letter r cntract). In relatin t client data, a lawful basis might be t meet a legal bligatin (eg, a statutry audit) r legitimate interest r fr the perfrmance f a cntract (if the cntract is with a data subject). This will need t be specified in the engagement letter fr the service ffering. In relatin t firm data, it may be apprpriate t btain cnsent t hld and prcess persnal data fr marketing purpses but fr emplyees the basis is mre likely t be legitimate interest. This is because the relatinship between emplyer and emplyee is such that the emplyee (i.e. the data subject) is unable t give cnsent freely. Fr emplyees the lawful basis must be specified in the emplyment cntract; fr marketing cntacts members will need t ensure they have dcumented hw they btained cnsent that is GDPR cmpliant (see belw fr mre n cnsent under the GDPR). Befre yu can prcess data yu must satisfy all the principles and at least ne prcessing cnditin. This must be dcumented. Please nte: the ICO s guidance n lawful bases includes a lawful basis interactive guidance tl t give tailred guidance n which lawful basis is likely t be mst apprpriate fr yur prcessing activities. When and hw can I use cnsent as a lawful basis fr prcessing? The GDPR will strengthen the rules regarding when cnsent can be deemed t have been given by a data subject. Under the GDPR cnsent must nt be assumed but shuld be: freely given; unambiguus; nt btained under duress;

4 nt bundled tgether with ther services; renewable (ie, fr a fixed perid); revcable (and withdrawing cnsent must be as easy as giving cnsent); and specific. The prcessr must als be able t prve that cnsent has been given in this way: this means the fact f cnsent must be dcumented r in the case f ral cnsent evidenced in sme way. Remember cnsent is nt the nly way t prve that yu have the right t prcess persnal data there are thers (see the sectin n lawful bases abve) that may be mre apprpriate. Fr example because f the imbalance f pwer between an emplyer and emplyee, cnsent cannt be given freely but the emplyer des have a legitimate interest in hlding persnal data abut its emplyees but nly the data that is necessary t fulfil this legitimate interest. We advise that members shuld review whether they are relying n cnsent t hld persnal data, check if this is still apprpriate and seek ther grunds fr lawfully prcessing persnal data if necessary. In case f dubt we advise members t seek legal advice. Please see: The ICO s guidance n cnsent. Definitin f data prcessrs and data cntrllers any change? N. Generally a cntrller determines the purpses and means f prcessing persnal data whereas a prcessr is respnsible fr prcessing persnal data n behalf f a cntrller. This is a cmplex area and legal advice may be required. This has nt changed. If I am data prcessr r data cntrller nw will I remain ne under the GDPR? Yes. The definitins have nt changed fr either a data cntrller r a data prcessr but it is imprtant t be aware that the respnsibilities f bth have changed (see belw) and will require actin t ensure GDPR cmpliance. Under the GDPR member firms will still be data cntrllers with regard t their firm data. In respect f client data, hwever, it is pssible, as under the DPA, that firms culd be cnsidered a prcessr rather than a cntrller. Hwever with reference t the DPA the ICO has previusly advised that an accuntancy firm is always a data cntrller - this can, hwever, be slely r jintly with the client. This is because the firm will usually have flexibility ver the manner in which it prvides services t its clients and may nt be simply acting n their instructins. We d nt expect the ICO t change this view because f the GDPR, althugh we are seeking clarificatin frm them. If there is any dubt regarding yur status as a prcessr r cntrller we advise yu t take legal advice. What are the new respnsibilities f data prcessrs under the GDPR? These will include the fllwing: a duty t maintain recrds f all prcessing activities (and the ICO can inspect these); a duty t identify and dcument under what basis they are prcessing data; and a duty t infrm yur data cntrller if there is a breach. Under the GDPR a prcessr can nly act n the dcumented instructins f a cntrller (see belw fr mre n cntracts between prcessrs and cntrllers). The mst significant change hwever is that under the GDPR data prcessrs, nt just data cntrllers, can be held respnsible fr a breach and therefre subject t sanctins and/r fines. S as well as recrding their activities and dcumenting the ratinale fr prcessing, prcessrs must als have a breach plan in place s that they can infrm the data cntrller if there is a breach. What abut data cntrllers? Will their rle and respnsibilities change nce the GDPR cmes int frce?

5 The definitin and rle f a data cntrller has nt changed but under the GDPR data cntrllers must ensure that any prcessrs they deal with are als GDPR cmpliant. In line with the accuntability principle this must be dcumented. A new fee structure has been prpsed fr data cntrllers pst 25 May See the ICO s guidance n the prpsal. Cntracts between data prcessrs and data cntrllers The GDPR stipulates that data prcessrs and data cntrllers must have in place a written cntract. Furthermre it sets ut in detail what shuld be included in cntracts between data cntrllers and data prcessrs. These include the subject matter f the prcessing, its duratin, and purpse, type f persnal data and categries f data subjects. Members shuld review (r draw up) cntracts between themselves and any third party wh is either their data cntrller r wh prcesses data n their behalf. This will als include clud strage prviders. If any f these are based utside f the EU (clud strage prviders frequently are) members will need t btain a GDPR cmpliance statement cnfirming in writing that any data transferred ut f the EU t r by the clud strage prvider is in line with the GDPR s equivalence rules (see belw). Please nte: the ICO has prduced a useful checklist f what t include in cntracts but as this is a cmplex area we wuld advise that, if in any dubt, members seek legal advice. The GDPR refers t a Data Prtectin Officer (DPO) but what is a DPO and d I need t appint ne? The DPO is a new rle established by the GDPR. A DPO is the persn within an rganisatin wh: advises the rganisatin n its data prtectin bligatins; mnitrs the rganisatin s cmpliance with the GDPR; and is the first pint f cntact with the ICO and data subjects. Under the GDPR a DPO must: pssess sufficient and expert knwledge f data prcessing (including the relevant legislatin); be able t avid any cnflicts f interest between their rle as a DPO and any ther rle they perfrm within the rganisatin; and be able t act independently ie, they must nt be instructed n hw t carry ut their functins r hw t interpret the legislatin. T ensure a DPO can act with the necessary degree f autnmy the GDPR states that a DPO cannt dismissed r penalised fr perfrming their task. The GDPR specifies that a DPO must be appinted when: the prcessing is perfrmed by a public authrity r bdy; r the cre activities f the cntrller r prcessr cnsist f regular and systematic mnitring f data subjects n a large scale; r the prcessing relates t sensitive data r criminal ffences, again if n a large scale. The GDPR des nt define what a public authrity is but the UK gvernment has stated that the definitin f a public authrity r bdy in this instance will be in accrdance with the Freedm f Infrmatin Act (FOI). This wuld suggest that accuntancy firms are unlikely t be cnsidered as a public authrity but all academy schls, fr example, are as they are specifically included under the FOI as a public authrity r bdy. Hwever, this is nt necessarily the case as the DPA 2018 includes a qualificatin: a public authrity will nly be treated as a public authrity fr the purpses f the GDPR when it is carrying ut a task in the public interest r in the exercise f fficial authrity vested in it.

6 The GDPR des nt define large-scale but the latest EU Article 29 Wrking Party guidance suggests that the fllwing wuld cnstitute large-scale prcessing: prcessing f patient data in the regular curse f business by a hspital; prcessing f travel data f individuals using a city s public transprt system (e.g. tracking via travel cards); prcessing f real time ge-lcatin data f custmers f an internatinal fast fd chain fr statistical purpses by a prcessr specialised in these activities; prcessing f custmer data in the regular curse f business by an insurance cmpany r a bank; prcessing f persnal data fr behaviural advertising by a search engine; r prcessing f data (cntent, traffic, lcatin) by telephne r internet service prviders. The fllwing are given as examples f what wuld nt cnstitute large-scale prcessing: prcessing f patient data by an individual physician; r prcessing f persnal data relating t criminal cnvictins and ffences by an individual lawyer. This suggest that mst accuntancy practices wuld nt be invlved in large scale prcessing and s will nt need t appint a DPO but if yu are unsure whether yu need t appint a DPO we advise yu t seek legal advice. Can I appint a DPO even if I dn t need t under the GDPR? Yes but the respnsibilities f and prtectins affrded t a DPO means this may nt always be the best way frward. A Head f Privacy may be mre apprpriate but whatever the title the persn appinted r assigned must have sufficient authrity t ensure GDPR cmpliance is achieved. Please nte: If yu dn t need t appint a DPO ur advice, nnetheless, is that yu must appint smene senir t versee and mnitr GDPR cmpliance bth pre and pst 25 May2018. Hw will the new rights f individuals affect my accuntancy practice? The GDPR has enhanced the rights f individuals (data subjects) and s all rganisatins need t be aware f these and set up plicies and prcedures t deal with them. The rights are nw: Right t be infrmed; Right f access; Right t rectificatin Right t erasure ( right t be frgtten see belw); Right t restrict prcessing (see belw); Right t data prtability (see belw); Right t bject (see belw); and Rights re: autmated decisin making and prfiling. All these rights require prcesses t be in place t ensure that they can be met. It is wrth bearing in mind, hwever, that nt all the rights are abslute and yu can take a risk based apprach and decide nt t have prcedures fr certain rights if it is very unlikely that a data subject will ask yu t enfrce them. Fr accuntancy practices we believe this is mst likely in regard t the new rights regarding autmated decisin making and prfiling but that all the ther rights may be enfrceable in certain circumstances. Can my clients r emplyees ask fr erasure?

7 Under the right t erasure (r right t be frgtten ) a data subject is entitled t ask a data prcessr t delete/erase the persnal data held by them (and by any third party) and the prcessr must cmply with this request. This right is nt, hwever, abslute unless the data prcessr is relying slely n the cnsent f the data subject as the legal basis t prcess the data. In additin, where the persnal data is n lnger necessary in relatin t the purpse fr which it was riginally cllected then the right t be frgtten can be applied. If the data is prcessed under any ther prcessing cnditin, such as legitimate interest, then there is n autmatic right t be frgtten. This wuld apply t client data held fr audit, tax, anti - mney laundering r ther regulatry purpses. Where the persnal data is held under a lawful basis ther than cnsent and is n lnger necessary in relatin t the purpse fr which it was riginally cllected (eg, persnal data held as part f an audit assignment but the perid it has been held exceeds the statutry requirements) then the right t be frgtten can be applied. Likewise, if there are n ther verriding legitimate grunds fr the prcessing (including strage) r where the data has been prcessed fr direct marketing purpses, then the right t be frgtten can be enfrced. If yu have t respnd t a request fr erasure, then yu will need t ensure that all the persnal data f the data subject is erased. This will include data held by third parties such as a clud prvider whether in the UK, EU r anywhere else. It will nt necessarily include archived data as the ICO has indicated that nly reasnable endeavurs shuld be undertaken t ensure all data is deleted. It is therefre advisable t put in place plicies t deal with such requests nw rather than waiting until yu receive such a request. Wh has the right t bject t prcessing? The right t erasure shuld nt be cnfused with a data subject s right t bject t all further prcessing, including the strage, f their persnal data ( right t bject. This includes data cllected fr the purpses f direct marketing and prfiling. The prcessr must agree t a data subject s bjectin t prcessing if there is n lawful reasn fr them t cntinue t hld the data. Again it is advisable t put in place plicies t deal with such requests nw rather than waiting until yu receive such a request. What is the right t restrict prcessing? Under this right a data subject can ask fr all future prcessing f data t stp. Data can still be stred but cannt be further prcessed. This right existed under the DPA s is nt new but shuld nt be cnfused with the right t erasure. Again it is advisable t put in place plicies t deal with such requests nw rather than waiting until yu receive such a request. Wh has a right t data prtability? The right t data prtability allws individuals t btain and reuse their persnal data fr their wn purpses acrss different services. This means they shuld be able t mve, cpy r transfer persnal data easily frm ne IT envirnment t anther in a safe and secure way. This right is primarily designed t enable cnsumers t take advantage f applicatins and services which can use their data t find them a better deal, r help them understand their spending habits and as such we believe it is unlikely (but nt impssible) that accuntancy firms will be asked t deal with such a request. Are there any changes t the rules abut Subject Access Requests (SARs)? Yes. Data subjects will still be able t make a SAR but an rganisatin may n lnger charge a fee fr them and must nw respnd within 30 days (previusly 40 days). All SARs must be respnded t unless a cntrller can shw that the request is manifestly unfunded r excessive. Again members shuld establish prcedures t deal with SARs. Hw des the GDPR change the rules n dcument retentin? The GDPR, like the DPA, stipulates that data must nly be held fr the purpse fr which it was cllected and nly fr as lng as necessary, althugh it des nt specify what is meant by as lng as necessary. This means that just in case is nt a justificatin fr retaining data but at the same time it is nt necessary t delete all persnal data as a matter f curse.

8 Hw lng is necessary fr client data? This is likely t be determined and/r affected by a number f factrs as fllws: Audit files and papers cntaining persnal data statutry audit regulatins; Tax files HMRC regulatins; Criminal cases e.g. mney laundering legal requirements; Cntracts fr the life f the cntract; and Emplyee details statutry requirements. It is recmmended that members and member firms shuld review all the data they hld and n what grunds the data is held (by categry). Fllwing n frm this review decisins must be made whether they d need t hld it and plices drafted accrdingly. Please nte: if a firm drafts a plicy n hw lng, fr example, the persnal data f frmer and prspective emplyees shuld be held, the data held must nly be that which it is necessary ie, nt all the persnal data. Fr example, a firm may determine that name and address may be all that is necessary t hld t enable the firm t cntact a frmer emplyee, fr a specific purpse (eg, changes t a pensin scheme, emplyment pprtunity) in the future. Please nte: We will be updating ur guidance Dcuments and recrds: wnership, lien and rights f access and the Helpsheet Dcument Retentin t reflect the requirements f the GDPR and the Data Prtectin Act 2018 in due curse. The new fines are very high what I can d t reduce the risk f a ptentially ruinus fine? The fines are ptentially very large but the ICO has indicated that the Infrmatin Cmmissiner will nt autmatically impse the tp level f fines as their aim is t encurage rganisatins t take their data respnsibilities seriusly rather than bankrupt rganisatins. S if an rganisatin has dne everything it culd t mitigate a breach then this will be taken int accunt by the ICO. This is why the mst effective actin fr members t take nw is t review and enhance their cyber security, dcument their plicies and prcess actin taken and t update r create prcesses that dcument when and hw plicies are implemented and maintained. Is it true that emplyees and clients culd claim cmpensatin fr a breach? Yes. Clients and emplyees, as data subjects, can make a claim against bth data prcessrs and data cntrllers if they can prve they have suffered damage r distress as a result f the breach. The mere fact f a breach, therefre, will nt autmatically mean yu will have pay ut cmpensatin but it des mean that any breach respnse plan shuld include an assessment f just wh culd be impacted (and hw) by the breach. D all breaches have t be ntified t the ICO within 72 hurs? Yes and N. Any breach shuld be recrded (including the actin taken) but it nly has t be reprted t the ICO if is likely t result in a risk t the rights and freedms f individuals. These include the risk f discriminatin, damage t reputatin, financial lss, lss f cnfidentiality r any ther significant ecnmic r scial disadvantage as a result f the breach. The ICO has advised that this needs t be assessed n a case by case basis and has given the fllwing examples f when and when nt t ntify them: yu will need t ntify the ICO abut a lss f custmer details where the breach leaves individuals pen t identity theft; but yu will nt need t ntify them if the breach has resulted in the lss r inapprpriate alteratin f a staff telephne list. We advise that members shuld put in place a plan f actin t deal with breaches and test it befre any breach ccurs.

9 D I have t ntify anyne else f a breach? Data Prcessrs must nw infrm their data cntrller. Data Cntrllers must infrm the data subjects if there is a high risk that they will be impacted adversely by the breach. In bth cases this must be as sn as feasibly pssible and withut undue delay. What is Data Gvernance? The GDPR impses n rganisatins the need t reduce the risk f any breaches and t prve that they take data gvernance seriusly by, fr example, putting in place and fllwing prprtinate data gvernance prcedures. Data Privacy Impact Statements, Privacy ntices and the cncept f Privacy by Design are all ways t embed data gvernance in t the peratins f an rganisatin. What is a (Data) Privacy Impact Assessment? When will I have t prepare ne? These must be carried ut t assess the risk t an individual s rights when, fr example, intrducing new technlgy r new wrking practices. Please nte: The ICO has issued guidance n cmpleting Privacy Impact Assessments (PIA) under the DPA 98. It is currently updating this guidance t reflect the prvisins f the GDPR but has advised rganisatins that its existing guidance is a gd starting pint fr rganisatins. What des Privacy by Design mean and will it apply t my practice? This is a new cncept and means that the prtectin f privacy must be built int all decisin making prcesses and at the start f any new service develpment r prcess develpment. It cvers bth technlgical and rganisatinal measures and applies t all rganisatins. S if a firm is cnsidering, fr example, changes t wrking practices (eg, hmewrking), an ffice redesign r installing new technlgy then means t prtect the privacy f data subjects must be included in the decisin making prcess and the rlling ut f the change. This wuld include, but is nt limited t, a cnsideratin f hw hme wrkers will ensure any persnal data is held securely n any persnal equipment used (if this is permitted), r hw the dispsal f ld filing cabinets, paper recrds and cmputer equipment shuld be undertaken t ensure that persnal data des nt fall int the wrng hands. What is a Privacy Ntice? A privacy ntice is a dcument explaining t data subjects their rights and hw their persnal data will be used. They are nt new but the GDPR is mre prescriptive as t what they shuld include and hw they shuld be prepared. In particular they must be easy t understand and nt excessively lng. The ICO has issued guidance n privacy ntices and ICAEW have issued a helpsheet and template fr members. Will engagement letters have t change? Yes. All engagement letters will have t be updated t infrm clients that the GDPR (and the new Data Prtectin Act nce it cmes int frce) is the applicable legislatin and as befre explain hw yu will use the persnal data f yur clients in line with the GDPR and ther applicable legislatin. Care shuld be taken t ensure that there is n bundling f services eg, an engagement letter fr an audit assignment shuld nt als imply that by accepting the terms f this service ffering the client is als cnsenting t the receipt f marketing r prmtinal material frm yur practice. ICAEW has prepared a helpsheet and pr frma paragraphs t include in engagement letters issued after 25 May 2018 and a cvering letter t amend engagement letters issued befre 25 May Further Infrmatin ICO s Guide t the GDPR fr a cntinually updated guide t the GDPR

10 ICO guidance fr Small Organisatins The EU s Article 29 Wrking Party news page fr updates n their latest guidance ICAEW's Guide t the GDPR a webpage dedicated t the GDPR with ur guidance and articles frm third parties ICAEW s FAQS GDPR fr Accuntants: Yur Questins Answered available here What is the GDPR GDPR What des it mean fr Accuntants? A GDPR Checklist GDPR: Yur Questins Answered Webinar Q and A Part One General GDPR Yur Questins Answered Webinar Q and A Part Tw Cnsent and Marketing Pensin Funds Technical Advisry Service Data Prtectin Helpsheets Engagement Letters and Privacy Ntices guidance and templates ICAEW Webinars see Events webpage fr details

11 Cpyright ICAEW 2018 All rights reserved. This dcument may be reprduced withut specific permissin, in whle r part, free f charge and in any frmat r medium, subject t the cnditins that: it is apprpriately attributed, replicated accurately and is nt used in a misleading cntext; the surce f the extract r dcument is acknwledged and the title and ICAEW reference number are quted. Where third-party cpyright material has been identified applicatin fr permissin must be made t the cpyright hlder. icaew.cm ICAEW cnnects ver 150,000 chartered accuntants wrldwide, prviding this cmmunity f prfessinals with the pwer t build and sustain strng ecnmies. Training, develping and supprting accuntants thrughut their career, we ensure that they have the expertise and values t meet the needs f tmrrw s businesses. Our prfessin is right at the heart f the decisins that will define the future, and we cntribute by sharing ur knwledge, insight and capabilities with thers. That way, we can be sure that we are building rbust, accuntable and fair ecnmies acrss the glbe. ICAEW is a member f Chartered Accuntants Wrldwide (CAW), which brings tgether 11 chartered accuntancy bdies, representing ver 1.6m members and students glbally. Chartered Accuntants Hall T +44 (0) Mrgate Place, Lndn E ethics@icaew.cm icaew.cm