A new EU data protection framework, the General Data Protection Regulation (GDPR), was adopted on 8 April 2016 and takes effect from 25 May 2018.
Our recent technical article New data protection rules from May 2018 gave an introduction to the GDPR, including how its requirements differ from those of the current Data Protection Act (DPA). This follow up article is intended to address how the GDPR will apply to ATT members by considering some Frequently Asked Questions (FAQs).
Data Protection in a complex area, and the below is only intended as an introduction to the areas which members might need to consider. It is not intended to act as detailed guidance, and should not be relied upon by ATT members. The Information Commissioner’s Office (ICO) website should be referred to for further guidance.
1. How long should members hold client data under the GDPR?
The GDPR does not set specific limits on data retention. It merely requires that personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which personal data are stored is limited to a strict minimum.
The short answer is therefore that data should not be retained any longer than necessary for the task performed.
However, ATT members need to balance this with their practical obligations with respect to HMRC time limits for discovery assessments, information requests etc. and also bear in mind that clients will often not keep copies of information which they have provided to their adviser.
The Information Commissioner’s Office (ICO) say that is good practice to regularly review the personal data you hold, and if you hold more than small amounts of personal data establish standard retention periods for different categories. When it comes to determining length of a retention period, a judgement must be made about:
- The current and future value of the information,
- The costs, risks and liabilities associated with retaining it; and
- The ease or difficulty of making sure it remains accurate and up to date.
The ICO acknowledges that there are various legal requirements and professional guidelines about keeping certain kinds of records – such as information needed for income tax and audit purposes. If an organisation keeps personal data to comply with a requirement like this, it will not be considered to have kept the information for longer than necessary.
This is reflected in the CIOT / ATT Professional Rules and Practice Guidelines 2011 which say that members should implement a policy for retention of documents and records in their files. When deciding the retention period they should consider:
- Periods of retention required by the law;
- The period of time during which actions may be brought in the courts, and which records and working papers might be needed as evidence;
- The period of time for which information in the working papers might be required for use in compiling tax returns
The ATT recommend that members should keep records and working papers for at least seven years from the end of the tax year, or accounting period, to which they relate or such longer period as the rules of self-assessment may require.
Whatever is decided upon, the retention period or criteria used to determine the retention period have to be included in your privacy statement under the GDPR (see below).
2. Do engagement letters need to ask for the new consent under GDPR?
The GDPR tightens the rules around consent given by data subjects:
- Consent must be specific, informed, unambiguous and given freely.
- There must be a positive opt-in – consent cannot be inferred from silence, inactivity or pre-ticked boxes.
- All requests for consent must be separate from other terms and conditions.
- It must be easy for individuals to withdraw consent.
Once the GDPR is in force all consents in engagement letters (and elsewhere) will need to reflect these stricter conditions. The ATT will be reviewing its engagement letter templates and associated guidance over the coming months and any points which need to be taken into account will be picked up as part of that process.
You are not required to automatically refresh all your existing DPA consents in preparation for the GDPR:
- You can continue to rely on existing consents if they meet the GDPR standards.
- If existing consents don’t meet GDPR standards you will need to seek fresh GDPR compliant consents from clients.
It may however be worth considering whether there is an alternative lawful basis to consent for processing data:
- If you do not rely on consent there is no need to refresh existing consents under GDPR.
- Individuals also have greater rights over their data under consent.
- It is a requirement of the GDPR that you establish the lawful basis for processing data, so this is an exercise you need to undertake anyway.
Alternative lawful bases for processing data could include:
- The data is necessary for performance of a contract with the individual: for example, to supply goods or services they have requested, or to fulfil your obligations under an employment contract.
- Legitimate interests: private-sector organisations can process personal data without consent if they have a genuine and legitimate reason (including commercial benefit), unless this is outweighed by harm to the individual’s rights and interests.
The ICO has published draft guidance on consents under the GDPR.
3. Privacy policies – when should these be updated?
Requirements for privacy policies (also referred to as privacy notices) are more detailed under the GDPR, so existing ones need to be reviewed to make sure they are compliant:
- They need to be in clear and plain language, transparent and easily accessible.
- Some further information is required in privacy policies under GDPR – lawful basis for processing, data retention policies and the fact that individuals have a right to complain to the ICO if they think there is a problem with the way you are handling their data.
Privacy policies should be updated as necessary for the introduction of the GDPR in May 2018.
The ICO believe that if you follow the good practice recommendations in their Privacy notices code of practice you will be well placed to comply with the GDPR regime.
Even if you are not relying on consent to process data, you will still need to provide clear and comprehensive information about how you use personal data, in line with the ICO’s privacy notices code.
4. What client data should members hold?
The short answer is the minimum amount necessary.
Under the GDPR data has to be ‘adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed’.
The GDPR applies to both automated personal data and manual filing systems where data is accessible according to specified criteria – this is wider than the DPA, and can include ordered manual records.
Under the GDPR the data controller has to implement appropriate measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.
5. What client data should members retain when a client moves to another agent?
There are no specific limits or guidance on this subject in the GDPR.
The answer may depend, in part, upon the lawful basis for processing that data. If you are relying on consent you need to check this extends to situations where individuals are no longer clients:
- The GDPR does not set a specific time limit for consent.
- Consent is likely to degrade over time, but how long it lasts will depend on the context: you will need to consider the scope of the original consent and the individual’s expectations.
As noted above for general data retention policies, you need to balance the requirement to only keep data for the minimum amount of time with your obligations to HMRC, clients etc.
There are also anti-money laundering rules to consider, which require you to keep records for five years after the relationship ends. Furthermore, the updated money laundering regulations (The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017) set out in Regulation 40 (5) that any personal information obtained for the purposes of the regulations must be deleted after five years from the end of a business relationship unless
- The business is required to retain it under statutory obligation, or
- The business is required to retain it for legal proceedings, or
- The data subject has consented to the retention.
The ICO’s data protection guidance acknowledges that you may not need to delete all personal data when the relationship ends. You may need to keep some information so that you can confirm that the relationship existed – and that it has ended – as well as some details.
The ICO also acknowledges that there are various legal requirements and professional guidelines about keeping certain kinds of records – such as information needed for income tax and audit purposes. If an organisation keeps personal data to comply with a requirement like this, it will not be considered to have kept the information for longer than necessary.
As noted above, the ATT recommend that members should keep records and working papers for at least seven years from the end of the tax year, or accounting period, to which they relate or such longer period as the rules of self-assessment may require.
Under the GDPR individuals have a right to have personal data erased and prevent processing where the personal data is no longer necessary in relation to the purpose for which it was originally collected / processed (the right to be forgotten). It is not yet clear how this will work in practice where a previous adviser holds information across different documents which they may be required to retain for compliance purposes – for example details of bank accounts on submitted tax returns.
6. What records do I need to keep to be GDPR compliant?
A key change under the GDPR is accountability: you need to demonstrate that you comply with the principles, and the GDPR states explicitly that this is your responsibility.
- Providing clear and transparent privacy policies.
- If you are relying on consent, being able to demonstrate that the data subject has given a valid consent. This should include keeping records to show:
- - Who consented
- - When they consented
- - What they were told at the time
- - How they consented e.g. for written consent a copy of the relevant document
- - Whether they have withdrawn consent, and if so when.
- If you have 250 or more employees - keeping additional written records of all processing activities including:
- Name and details of organisation, and where applicable, other controllers, your representative and data protection officer.
- Purposes of the processing.
- Description of the categories of individuals and personal data.
- Categories of recipients to whom the personal data has been or will be disclosed.
- Details of transfers to third countries (i.e. outside the EU) including the safeguards in place.
- Retention schedules (where possible)
- Description of technical and organisational security measures (where possible).
- If you have fewer than 250 employees detailed records of processing activities only have to be kept for higher risk processing, such as processing personal data which could result in a risk to the rights and freedoms of an individual, processing which is not occasional, or processing of special categories of data (including that revealing race or ethnic origin, religious beliefs, political opinions, health data or genetic / biometric data) or criminal convictions and offences.
- Carrying out and documenting a Data Protection Impact Assessment (DPIA, also known as privacy assessment) if processing is likely to result in a high risk to individuals, for example:
- Where new technologies are used.
- Where a profiling operation is likely to significantly affect individuals.
- Large scale processing of special categories of data (race, health records, sexual orientation, religion etc.) or personal data relating to criminal convictions or offences.
- Appointing a Data Protection Officer (DPO) if you:
- Are a public authority,
- Carry out large scale systematic monitoring of individuals (e.g. online behaviour tracking), or
- Carry out large scale processing of special categories of data such as health records, or data relating to criminal convictions and offences.