Data Protection is changing – and so must your company…

The new EU General Data Protection Regulation (GDPR) is imminent. From May 25th, 2018, companies and other organisations will be required to abide by it – so you do not have long to prepare and take action to ensure that you are fully compliant.

The force of the new legislation is to provide more protection for individuals and their personal data. Where your trade is Business-to-Consumer (B2C) it is essential that you take action. Business-to-Business (B2B) operations are less affected but you still need to review the data you hold on individuals within customer firms.

Potential Sanctions

If you fall foul of GDPR you could be subject to an official review and this could result in your company:

• Gaining a bad reputation
• Paying a substantially fine
• Being banned from operating in certain member states

Therefore, be proactive and review whether your existing procedures are fit for purpose in the new situation.

What to Do

  1. You should already have a privacy policy (and it needs to be stated on your website). Check in detail to ensure it remains legal and appropriate. Do not forget to involve all stakeholders to make sure that everyone is on board and in agreement.
  2. A key aspect is that individuals will have to be seen to consent or ‘opt in’ to receiving communications from you, especially marketing emails and cookie-related web tracking of visitors to your site. This need not mean the end of these very effective forms of marketing: there are forms of words that can be used that will comply in future, but it will involve changing your procedures to ensure compliance. You also need to record the individual consents in case you are ever challenged about them.
  3. Any well-run firm will have Customer Relationship Management (CRM) software recording data, which may well include personal information. Review who records this data and how it is looked after, to make sure it does not breach any of the new regulations.
  4. If the worst happens and there is seen to be a data breach, you need a GDPR-compliant written policy for dealing with it – but not one that gathers dust in a drawer. It must be communicated to all customer-facing staff in your business.
  5. Some companies will have to appoint a data protection officer. Ordinarily this will not be a full-time post but must be added to the responsibilities of an existing person. Who will it be? They will need to be trained.

This can all seem a bit much to be handling in addition to all your daily tasks: but we at Odiri Tax Consultants stand ready to review your situation and assist with making the changes that are needed to ensure you stay on the right side of GDPR.

Loveth Watson

Loveth is a qualified accountant and tax consultant with over 20 years experience. She started her career with top 5 accountancy practice and held the position of tax manager prior to starting her own practice. Loveth is a member of the Institute of Financial Accountants, Institute of Public Accountants and the Association of Taxation Technicians. Loveth’s background in accounting, corporate and personal tax enable her to advise shareholders on the personal tax implications of corporate structuring and transactions, ensuring a holistic approach to tax planning is provided. Loveth advises clients in the areas of accounting, tax and business development. Her main focus is in delivering services to owner-managed businesses and seeking structured solutions to the challenges that they face.