We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners. Read More


Log in

GDPR: Am I doing it right? - Dr Sarah Cannataci

10 Feb 2020 15:00 | Anonymous
The Accountant – What's Next?  –  Winter 2020 (MIA Publication)
Unless you have been living under a rock for the past three years, you have surely heard of GDPR and, perhaps, suffered a few headaches because of it, too.
Although most businesses put in some work in the weeks leading up to the 25th May 2018 and left it at that, one should ensure constant compliance with the provisions of the regulation. The main challenge for organisations is how to successfully weave compliance with data protection law into their day-to-day functions. But the secret is simpler than you might think.

Let’s start with the basics
What personal data do I process?
Personal data is any information that can directly or indirectly relate to the identification of a living individual. In most cases, the personal data generally processed by the accountancy profession is that pertaining to clients, as well as employees in the case of accountancy firms. This definition is very wide, meaning that personal data varies from one’s name and surname, to national identity documentation to photos and biometric data of an individual.
How am I processing this personal data?
The GDPR applies to the systematic processing (collection, storage, adaptation, destruction) of personal data. So, whether you receive information relating to an individual via email, or keep accounting information related to clients on file as per your legal obligations, you are processing personal data.
Why am I processing this personal data?
In the regulated accountancy profession, the processing of personal data relating to clients is usually done for compliance with a legal obligation or for the performance of a contract. In the case of employees, the lawful basis underlying the processing might also be legitimate interest or, though less likely, consent. You may be processing the data in your role as a Data Controller or a Data Processor – your role changes depending on the specific processing operation, but under the GDPR, there is a flow-down of obligations and liability from the Data Controller to the Data Processor(s).
Tips for ongoing compliance
A.     Record Keeping
You are not only obliged to comply with the provisions of the GDPR, but you need to be able to demonstrate said compliance. Create a GDPR Compliance Folder and document what personal data you process and why, how you obtained it and who you share it with and ensure that you keep these records updated.  
B.     Policies & Procedures
Review your client-facing documentation to ensure that any privacy notices are up-to-date and provide the data subjects all the information they are entitled to. If you have employees, carry out the same exercise with any Employee Privacy Notices or Handbooks. Initiate internal procedures and policies to complement the processing and, more importantly, to address certain situations, such as (i) how to handle a request for the exercise of a data subject right; (ii) when a data breach is suffered or suspected; or (iii) when a request for access to CCTV footage is received, for example.
C.      Retention of data
The GDPR does not set specific limits on data retention, but the legislation regulating the accountancy profession sets out specific periods in relation to particular documents and information. There are other sources that can assist in this exercise, namely guidance issued by bodies such as the ACCA which set out minimum retention periods for certain documents, such as audit working papers. Ultimately, any retention schedule you draw up must be justifiable.
D.     Regulating Relationships
If you are processing personal data on someone else’s behalf or have engaged someone else to process it on your behalf, you should regulate your relationship by putting into place a written contract with any such third party. Make sure that any such Data Processing Agreements are reflective of the processing being undertaken (duration, purpose, type of personal data etc) and that such agreements are updated accordingly should the relationship change.
E.      Maintaining Security
A data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to, personal data transmitted, stored or otherwise processed. This event is usually characterised by (i) a loss of confidentiality; (ii) loss of integrity or (iii) loss of availability of the personal data being processed. Lay down a procedure for when a data breach is discovered, establishing tight timeframes in which reporting to the Supervisory Authority should be made. Additionally, an assessment of all factors relating to the security of the personal data is crucial.
The biggest change you can implement, however, is to change your mindset. GDPR is not an additional burden on your daily functions, but rather an integral part of your operations. When adherence to data protection principles becomes part of your modus operandi, compliance with the GDPR is a piece of cake!

Dr Sarah Cannataci is an Associate within the Technology, Media & Telecommunications department of Fenech & Fenech Advocates. Her work primarily involves assisting and advising clients in relation to information technology and data protection law as well as trademarks, copyright, and design rights amongst other intellectual property issues.


Suite 4, Level 1, Tower Business Centre, Tower Street, Swatar, BKR 4013, Malta 

E-mail: info@miamalta.org

Tel. +356 2258 1900