The Data Protection Act will be superceded by the General Data Protection Regulations (the GDPR) on 25 May 2018. These Regulations contain new requirements concerning how you collect, process, store and erase all personal data (information that can be used to identify a living person) within your practice.
The GDPR will not affect your other legal obligations concerning storing and maintaining your client’s accounts. In particular, the period for retaining your client’s accounting records will still be governed by the relevant legislation (e.g. Companies Act 2006, Taxes Management Act 1970) and in most cases will require you to retain the records for six years. If your client relies on GDPR to request you erase their accounting records, you may only erase the data if doing so will not breach these other legal obligations.
The Regulations replace the Data Protection Act 1998 and rely upon the six principles of good practice. These provide that personal data must:
- be processed fairly, lawfully and transparently;
- only be used for the purpose for which it was collected;
- be adequate, relevant and not excessive for the purpose for which it is being processed;
- be accurate and kept up-to-date;
- not be kept longer than necessary to fulfil the purpose of its collection;
- be kept secure and protected from unauthorised processing, loss, damage or destruction [which includes the data not being transferred to a country or territory outside the European Economic Area unless the personal data is adequately protected and/or consent of the Data Subject has been provided].
The Information Commissioners Office (ICO) has been appointed as the UK body responsible for supervising the implementation of the GDPR. The ICO has published a number of very useful documents on its website to assist businesses in preparing for the change to GDPR, including several preparation checklists, which can be found at:
In consultation with the ICO and the ICB Advisory Council, ICB's in-house counsel Ben Stephens-Brown has prepared a GDPR Guidance sheet to familiarise you with the key aspects of the legislation that affect bookkeeping practices, a shorter Getting GDPR Ready guide to prepare you for the key steps you will need to take when reviewing your practice’s processes, and a template for a Privacy Notice you can use for your practice that covers the relevant aspects of the GDPR.
The three GDPR documents can be downloaded from the Practice Templates & Downloads page:
> Practice Templates & Downloads
Access to this documentation is available to members in practice who are logged-in