General Data Protection Regulation and Network 4M

Person responsible for implementation

M G Ede will oversee the implementation.  There is no need to appoint a Data Protection Officer.  Instead it is recommended that one person is appointed a Head of Privacy.  This is less onerous.

Effective date

25 May 2018.

Scope

The Regulations relate to data which identifies individuals.  It does not apply to Companies.

We need to Identify what data we are storing.

This is confined to date of birth, address, NI Number, UTR, material gathered for identification purposes such as copies of passports and utility bills. In addition to clients for whom we prepare Tax Returns and Directors of Limited Company clients, we also have this information for employees where we do the payroll.

We have to identify who we are sharing the data with.  HMRC and Companies House are obvious ones. Occasionally, we may need to share information with people like SAGE.  In addition Iconology has access to our data. This matter is covered by statements in our Privacy Notice. [We need to get a confidentiality letter from Iconology.]

We need to delete files for ex-clients for whom we do not act.  This would be six years after we ceased acting. We should not retain data for longer than necessary.  We should also consider deleting files over 6 years old for existing clients but we need to ensure that any data of long term significance such as the cost price of assets subject to Capital Gains Tax is removed to the Permanent File first.  We should have a form to record what data we have when any client leaves.  Consideration is to given to moving ex-clients to the R drive. [Reference was made to archiving but this needed clarification.]

One of the new features is having a procedure to prove data has been deleted if this has been requested by a client or ex-client.  However before any file is deleted, we must first check if there is a statutory reason which overrides this request. Assuming there is none, we must proceed to deletion.

We must map out where this data is stored.  We should make sure that we do not keep any paper details of people’s identity.  Everything should be on our system. Data is currently stored in our system on PTP tax software, in the Admin section of client’s files on the P drive, in our client data bases, in our Companies House filing files, in SAGE payroll and in Network 4M’s Sales Ledger.

The best solution is probably to have a spreadsheet upon which we list every client for whom we store data and where it is held on our system, ie PTP, P Drive etc.

Data Security

We must describe in writing what measures we and our agents (such as Iconology) have taken to keep data safe.

Encryption is not required where the data is not moving.  As regards non-moving data, Iconology have said that encrypting the Cloud server is not worth doing but instead we should tighten up security on accessing our server.  They recommend that each user is given a VPN connection which will provide a secure tunnel to Azure who control our server. This will mean that any data going from our laptops to the server are encrypted.  Passwords will have to be entered on each occasion and cannot be saved.

Iconology will provide us with a statement of what controls exist over our server and in relation to back up procedures.  They will also provide us with a clear statement of where our Cloud storage provider is. It must be in the UK.

As regards moving data, this is where it is suggested that there should be encryption.  Iconology are providing us with an alteration to our existing email system. This will enable us to encrypt certain but not all emails.  It can be used for replies and for forwarding. All we have to do is type in the word “encrypt” in the subject matter. As with other systems, the recipient receives a notification that a secure email has been sent by us.  The recipient is given the choice of accessing through a Microsoft account which they may have already created or stating up a new one or they are given the opportunity to use a one-time login. Most people choose the latter.

The encryption extends to attachments and so this could be used for sending Tax Returns  or Payslips. However, we may prefer to use the IRIS portal for the transmission of encrypted tax documents and we may prefer to use the inbuilt encryption available within SAGE payroll for transmitting payslips.  The ability to encrypt emails enables us to send anything else.

We need to see if we can further restrict access to data by non-directors and subcontractors.  We could look at moving client ID’s on to the R drive where access is limited.

Changes to existing contracts

Our existing Engagement Letters do not need changing but Clause 8 of our Terms of Business does need changing and we need to have a Privacy Notice.  These have been drafted. The question remains how we communicate these to clients. It is suggested that we definitely put the Privacy Notice on to our website and possibly also our Terms of Trading.  We then need to draw the attention of clients to these changes.

Network 4M will be a data controller not a data processor.  A controller is a person who alone, jointly or in common with others determines the purposes and manner in which personal data is processed. A data processor is someone who acts on behalf of the controller, such as a payroll provider.

We must review employment contracts to include a complaints procedure if an employee thinks their  data has been misused. We need a procedure for getting consent from an employee in particular circumstances for us to disclose data such as for a bank reference.

We will have to email non-clients confirming that they are happy to receiving ask clients whether they wish to receive mailings from us.  This has to be separate from the Letter of Engagement.

Written Procedures

We need to demonstrate our compliance with GDPR and this is best achieved by having written procedures.  These will assist in making staff aware of what things they should not do. These procedures will also document the actions we will need to take in specific circumstances where, for example, we believe data has been stolen or a former client is requesting confirmation that his or her data has been deleted.

Staff training.

We need to consider how much training to give.  Of more importance is to ensure that no-one other than a director ever discloses any personal information about a client, member of staff, or member of staff of a client.