The new data protection law became effective from the 25th May which has changed the role of Company Secretary a bit and here is the detailed information how the life of a Company Secretary is affected.
What Do You Understand By GDPR?
As mentioned on the official portal “the EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”
Basically, GDPR is an objective to provide greater power to citizens to regulate on how their personal data is being used, particularly in a period when organizations repeatedly exchange and sell the digital data online.
As mentioned on the official portal www.dataprotection.ie, “Organisations involved in data processing of any sort need to be aware (that) the regulation addresses them directly in terms of the obligations it imposes.”
Even after imposition of Brexit, compliance will be important for the company who wants to run a business in the EU. Actually, organisations accessing personal information of customers, prospects or employees who are citizens of EU and/or in the EU, covered under this scope, no matter where the company is located across the world, even if the information is accessed outside the scope of the EU.
The acquaintance of the GDPR shows an important shift in the manner organisations regulate and save all the personal information they keep, and it will impact the business in every certain aspect. Therefore, many private companies will need to hire Data Protection Officers, regardless of the size and whether the companies are accessing the personal information in the capacity of a processor or a controller. Irrespective of their size and whether they are processing personal data in the ability of a controller or a processor.
Latest GDPR Provisions Under The Accountancy Domain
General Data Protection Regulation (GDPR) is a provision in European Union to protect the personal data of individual within the EU. The existing Data Protection Act (DPA) is still applicable under GDPR. So, the business who are beforehand following the DPA will not need to begin from the line but they need to restore the existing processes once the GDPR comes into effect. The GDPR may come with new standards, therefore it will necessary for an accountant, who already is compliant with the DPA, to be updated.
Audit Of Data:
The initial step for several accountants in upcoming time will be to execute an audit of data kept and current data operations, adding the behaviour of how data is transferred, treated and received. It should also encompass an evaluation of how information is used between the departments or trans located outside the business.
After completing the audit, it also requires to mention “at risk” fields that need attention.
Privacy And Consent:
Accountants and businesses are required to be aware of what they are choosing in to get and how the information is being utilized. Urges for consent are easy to grasp and individuals should take it simply to roll back the consent at any platform. Consent appeals should utilize unmarked opt-in boxes; favourable opt-in instead of an opt-out box is needed under the provision. Once consent makes its way to grant list, practices and businesses should consistently review the procedure and regulate documented proof of the outcome and reviews.
Privacy notices are required to be apparent and posted on a website of the business. They should notify the businesses that the information is being gathered, what is the reason behind processing and the data is shared with whom. Privacy notices are also the part of letters and forms sent to businesses.
The provision makes the business to access the individual information and urges for the copy of the data held, without paying any cost. Although, individuals can charge an appropriate fee if the appeals are excessive or ostensibly unfounded, and in the case when the request is monotonous or repetitive.
The chargeable fee depends on the administrative cost for the available data. Practices and businesses should comply along with the data request in a calendar month, stretchable up to two months in case of complex request. Businesses can go for a process by which the requests can be met before 28 days, making sure that they access all requests in a calendar month.
Requests to update and rectify data should as well be answered in a month and individuals should have a particular record management steps in order to process the request in time.
Proof of Responsibility:
Practices and businesses are required to show how they follow the GDPR norms, adding the outlook to information protection and the way compliance policies are regulated and implemented. These policies are required to be reviewed for productiveness in a timely manner. All members keeping personal information should be educated on accountability and individuals should consistently talk about important messages by circulars, articles, posters and team meetings. Contracts along with data processors must add clauses as per the requirements under General Data Protection Regulation (GDPR). Data controllers are responsible for compliance of the processor along with the regulations.
IT And Security:
Practices and businesses require to implement security provisions properly for the extent of risk level and personal data occupation. IT systems must be secure and safe, along with adequate resources and time spent making sure that systems can access information without any risk to security.
Any infringements in information should be mentioned to particulars in some cases. Infringement reporting process must be put, any breach can make the freedom and rights at risk and it is required to be reported regarding the same to the Information Commissioner’s Office.
Here are the 9 Steps to F
urnish for GDPR:
Read and try to consume as much as on the subject matter. The team also requires to know how the regulation terms will impact the procedures and policies for the course of employment, for recruitment and what to do in case of when the contracts are broken.
Inspect and make changes to existing information protection policies. It is not very important to make sure that any alterations and changes are apparently discussed to your employees. Identical opportunities policies are also required to be revised to equal opportunities policies to describe any changes to the manner in which sensitive data is retained and stored.
Check the current relationships with contractors, data processors and service providers. Do you want any improvement in the way to operate a business?
Revise the documents that suggest to data processing, as employees have rights now to wish transparency for this. Work in collaboration with other key stakeholders in order to make sure that all personal information is worked properly.
Make sure that you work with the appropriate systems to inform the regulator if an information leak should happen. Notify each member of staff about the correct process and reaction if this happens. Establishing an information leak programme is important to make sure that the correct protocols are inspected.
With your IT team, you require to make sure that IT system permits your team to remove information in an extensive manner, as information subjects may have the latest right to be forgotten.
Employees can get an improved right over the information in a professional atmosphere. Employers are required to step forward to make sure that the employees have articulately agreed to the use of the information. Where the approvement is required, you should think using a different form for this purpose, instead of adding it as a compartment in an employment contract.
Inspect all the current privacy summons and revise them to make sure they follow with more review all your current privacy notices and update them to ensure the more extensive data needs. All information added should be simple for job applicants and employees to understand.
Inspect any systems you may have adding personal data being kept outside of the UK.