01246 233108
[email protected]
Running a business in the Hospitality Sector? Click here

Data Security – Data Protection Regulation - Ensuring Compliance

The General Data Protection Regulation (EU 2016/679) came into force on 25 May 2018 adding new elements and significant enhancements to the existing data protection regime.

Roles and Responsibilities

In the run up to GDPR you will have considered if you needed to formally appoint a DPO – a necessity if:

  • You are a public authority or body; or
  • Your core activities require large scale, regular and systematic monitoring of individuals; or
  • Your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.

Many organisations chose to ensure that an individual or department has responsibility for privacy activities without the need for a formal DPO appointment. Ensuring that the roles and responsibilities for data protection are well known and documented in your organisation is a key compliance requirement.

ROPA - Record of Processing Activities

Documentation of the processing activities carried out by the organisation is a requirement of Article 30 of the GDPR (both UK and EU) if your organisation has over 250 employees. It is also a requirement for smaller companies if the data you process:

  • are not occasional
  • are likely to impact the rights and freedoms of individuals; and
  • involve special category data or criminal conviction and offence data.

Your ROPA should contain a data map of your systems that contain personal data along with information on the lawful basis of processing, the purposes and methods of processing data, data sharing and data retention policies and procedures.

It is important to ensure that there are regular reviews of this documentation as updates are likely over time.

There is further guidance from the ICO on ROPA best practice.

Policies and procedures

Your policies and procedures should clearly outline roles and responsibilities in your organisation covering a number of privacy related areas:

  • Data Protection and records management
  • Information security including breaches and incident management
  • The provision of information following individual rights requests – such as subject access requests and information notices
  • Data Protection by design and default to ensure issues are considered and documented (Privacy impact assessments) when new systems, services, products and processes are implemented, or existing ones amended
  • The privacy policy on your website should be reviewed regularly and the date of last update clearly displayed

Supplier Management

It is essential that contracts are in place with organisations that process data on your behalf. Contracts should set out the details of processing including:

  • The subject matter of the processing
  • Duration of the processing
  • Nature and purpose of the processing
  • Type of personal data and categories of data subjects
  • If any sub-processors are used.

A framework of due diligence checks to ensure that these organisations are operating the appropriate technical and organisational requirements to meet GDPR is needed.

Regularly reviewing the contracts and data sharing agreements you have in place with other organisations is recommended.

Training

Making sure your staff are aware of their responsibilities with regard to processing personal data is key. Induction and refresher training should include information on data protection, potential security threats and your organisation’s information governance policies and structures. Monitoring and documenting training completion is an important element in being able to demonstrate your compliance.

Other laws and regulations

There are various other Acts and regulations in the UK which have a bearing on data security. These include:

  • Privacy and Electronic Communications Regulations (PECR) 2003 - which cover ‘spam’ and mass-marketing mailshots. Regulations under the PECR are also issued from time to time. For example, regulations on the use of cookies on websites, and in 2016 to require anyone making a marketing call to display their number
  • Copyright Design and Patents Act - amended in 2002 to cover software theft
  • There may be other IT standards and regulations applicable: for example, companies processing credit card transactions need to ensure compliance with the Payment Card Industry Data Security Standards (PCI DSS).

Sources and links

ICO home page for organisations

EU GDPR portal - http://www.eugdpr.org/

Menu

After completing her A-Levels in 2017, Rebecca started her career in accounting by joining the Page Ivy team. Since then she has completed levels 2 and 3 of the AAT qualification and is currently studying towards level 4.

In the office, Rebecca works with our clients to assist them in preparing their VAT returns, assists with Xero Cloud-based bookkeeping and Accounting and is also trained in all matters of payroll.

In her spare time, Rebecca likes to, spend time with her friends and family, train dogs and more recently, has started to learn Spanish.

Since school Charlie has always had an interest in accountancy and followed up on his career aspirations by joining Page Ivy in 2017.

After three years of studying, Charlie is nearing completion of his AAT level 4 qualification and is looking to start his ACCA training imminently.

Charlie deals with the preparation of Limited Company, Sole trader and Partnership accounts along with preparing VAT and MGD returns.

In his spare time, Charlie enjoys watching football and spending time with his partner, friends, and family.

Danielle joined the Page Ivy team back in 2013 as an AAT Trainee, now qualified she is responsible for managing our Payroll  Bureau.

Her role includes processing weekly, bi-weekly, and monthly payroll runs, corresponding with HMRC on behalf of our clients,  preparing and submitting CIS 300 returns, assisting clients with all areas of payroll, HR, and Administration.

In her spare time, Danielle enjoys climbing, spending time with family and friends, and going on long country walks with her partner and dog.

Declan is the newest member of the Page Ivy team, starting with us in 2020.

Declan is currently studying towards level 2 of his AAT Apprenticeship and in the office, is getting to grips with data entry and analysis.

In his spare time, Declan enjoys country walking with his family and dog, sports events and more recently, learning to play the piano!

Megan joined our team in 2014 and has been ensuring that the Page Ivy office runs smoothly ever since.

Her role includes managing the team and their diaries,  handling client queries, and assisting with Administration.

Megan is a Xero certified Payroll advisor, meaning that when Danielle is on leave, Megan is on hand to run our payroll department.

Megan has two children, Isabella and Felicity, who like to keep her busy! In her spare time, she likes to keep fit, spend time with her family and online shop!

Abby started her career in accounting in 2009, working for a small practice in Chesterfield, alongside studying for her AAT qualification.

After three short years, in 2012 the opportunity arose to become Director of Page Ivy Accountants and she hasn't looked back!

Building long-lasting client relationships are of utmost importance to Abby, she has a passion for providing a high level of customer service and ensuring that our clients feel valued.

Abby is responsible for overseeing the preparation of VAT returns and MGD return prepared by the Page Ivy team; along with providing personal tax advice to a wide range of clients.

 

In her spare time, Abby enjoys, traveling, reading, and going to the gym.

Edward joined the team as a school leaver in 2012.  From here he went on to study Business Administration, AAT, and finally progressed on to complete his  ACCA qualification 2019.

Edward is a knowledgable, pro-active Senior accountant, who prides himself on providing high quality, in-depth, technical advice in a manner that is easily understood by his clients.

He is responsible for the preparation of Sole trader, Partnerships, and Limited Company accounts. As well as monthly and quarterly management accounts and conducting business reviews.

In his spare time, Edward likes to spend time with his friends and family,  spending time in his local pub and watching Derby FC collect 3 points.

 

Gareth started his career in accountancy in 2002. Since then he has worked in both small and medium-sized accountancy practices, working with a variety of clients from small businesses to advising quoted companies on Corporate Tax compliance and specialist claims, such as for Research and Development allowances. He places high importance on technical expertise, believing this to be essential to ensure clients can be safe in the knowledge they are fully compliant with HMRC’s requirements while minimising their tax liabilities. This is reflected in him being a fully qualified member of the Chartered Institute of Taxation, and a fellow of the Institute of Chartered Accounts in England and Wales.

He joined Page Ivy in 2012, since then he has taken responsibility for overseeing the preparation of clients Sole Trader, Partnership and Limited company accounts, as well as clients personal Self Assessment Tax Returns.

Alongside Abby he hopes to continue to develop both the technical expertise within the firm, and see the business continue to grow from strength to strength.

Outside of work Gareth has served as deputy leader of the town council, enjoys eating out, and fishing.

Subscribe to our Newsletter

Please enter your information below to receive updates from our newsletter