December 2015 saw the European Parliament, Council and Commission reach an agreement on new data protection rules establishing a modern data protection framework. This is despite the UK referendum leave vote, the ICO has confirmed that GDPR inclusion will become legislative law in May 2018. Repercussions of non-compliance within the UK under the EU GDPR Directive carries enormous penalties reaching 20m Euros or 4% on annual global turnover whichever is greater. Business Leaders begin to realize the implications of non-compliance and recognise significant changes need to be made on how customer data is handled and how this impacts Finance. Accountants next year will have an obligatory responsibility to ensure accurate maintenance of documentation of customer data and the exact recording method and details of customer data consent. Customer consent must now be freely given, specific, informed and unambiguous. Accountants will need to prove the Organisation or Enterprise concerned can show how and when customer consent was lawfully obtained and recorded. Under GDPR inclusion, customers have the right to opt out of any form of automated evaluation including credit scoring. For example after a customer takes out a mortgage, under GDPR they have a right to be “forgotten” and their personal data to be permanently erased. Specific processes will need to be adhered by Organisations to ensure reliable data erasure to be fully compliant also notifying data holders that consent has been withdrawn and data erased including backup files, data storage systems and Cloud storage. Accountants will now have to address key issues as follows;
Deciding what levels of risk assessment need to be carried out to ensure full compliance with GDPR inclusion frameworks
Considering and better understanding how their Software Technology vendor partners will maintain and manage data under the GDPR inclusion framework changes
Examining implications around key data security considerations for data in motion, data storage including cloud, data encryption and data lifecycle management.
Determining specific and measurable IT data controls to meet GDPR inclusion compliance requirements to avoid penalties and legal action from the ICO and FCA
The Office of National Statistics (ONS) revealed cyber-crime is an imminent threat to UK citizens in current times emphasising the importance of training all staff to better understand the precautions required of NOT protecting your business or organisation. Some important steps to take initially;
Encryption software installation on all PCs and devices in accordance with ICO guidelines.
Apply necessary due diligences before choosing your data backup provider
Choose a compliant Cloud data service provider
Apply relevant software security systems that are password protected
Source: Amdas Research including intelligence from the Information Commissioners Office (ICO) and Office of National Statistics (ONS)