GDPR policy - Incorpro Chartered Accountants

1. Incorpro’s GDPR Policies

Six Core Principles

Incorpro shall at all times comply with its data protection obligations under the GDPR, in keeping with the six core principles of GDPR that personal data shall be:

Processed lawfully, fairly and in a transparent manner (Lawfulness, Fairness and Transparency)
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purpose (Purpose Limitation)
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (Data Minimisation)
Accurate and where necessary kept up to date (Accuracy)
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (Storage Limitation)
Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures (Integrity and Confidentiality).

Based on these principles, for each piece or type of personal data we hold, the firm is able to demonstrate on demand (i.e. accountability):

Why we are holding it;
How we obtained it;
The purpose/s we use it for;
How long we will retain it;
How secure it is in terms of its accessibility and data security; and
On what basis we share it with any third parties.

Further points

In addition to the 6 core principles, the firm shall ensure that:

Training & Education

There are sufficient levels of awareness of data protection in our organisation;
Our staff are aware of their data protection responsibilities – including the need for confidentiality; and
Data protection is included as part of the training programme for our staff and this training is regularly refreshed.

Co-ordination and Compliance

It has been determined that a Data Protection Officer is not required and Andrew Doherty has been nominated as Head of Privacy.
All staff are aware of their role in data protection compliance.
Mechanisms are in place for formal review by the Head of Privacy within our organisation.
We have an overall framework in place that demonstrates how we comply with GDPR.
There is regular monitoring and auditing of our data protection framework for GDPR compliance.

2. Responsibilities and Reporting Lines

The firm has appointed Andrew Doherty as Head of Privacy. Andrew Doherty is responsible for compliance with GDPR and all personal data processing and data security within the firm.

Consideration of whether the firm needs to appoint a Data Protection Officer (DPO)

The GDPR specifies that a Data Protection Officer (DPO) must be appointed when:

the core activities of the firm consist of regular and systematic monitoring of data subjects on a ‘large’ scale; or
the firm processes special category data or criminal offences, again if on a ‘large’ scale.

In view of these criteria and the firm’s activities, the firm has considered whether it is required to appoint a DPO and has decided not to appoint a DPO.

3. Data Processing

Handling of client data

Based on our Data Map, the following are the main types of data, data subjects, types of data processing, and our status as Controller or Processor.

Personal data processed by this firm

The firm process two different types of personal data: client data and firm data.

'Client data' is personal data received from clients in relation to professional engagements and practice; and
'Firm data' is personal data held by a firm in relation to its own management, employees and affairs generally, including marketing databases.

Categories of Data Subjects

The firm holds personal data for the following categories of people (Data Subjects):

Business Partners/Directors in the firm who are living natural persons
Current clients and their family members who are living natural persons (includes their Anti- Money Laundering customer due diligence data)
Employees of clients for whom we process outsourced payroll etc.
Former clients and their former employees for whom we have processed payroll etc. in the past
Prospective clients (on a mailing list for example)
Sub-Contractors of the firm
Existing staff & former staff of the firm
Job applicants to the firm
Other ‘Contacts’ not already included on the above lists including complainants, enquirers etc.

Client data processing carried out by the firm

Customer Due Diligence

For all clients, the firm is obliged to obtain Customer Due Diligence information under Anti Money Laundering legislation. This data includes copies of passports (or similar photographic ID) which record the date of birth and nationality of clients, and utility bills (or similar) which provide evidence of the home address. This is considered to be personal data.

Data obtained in the provision of services

Accounts preparation and book keeping assignments for corporate clients - the firm obtains and processes personal data concerning a number of persons associated with the entity, including the directors, staff, customers, suppliers, subcontractors and other natural persons who are service providers of the client.

Accounts preparation assignments for unincorporated clients - In this case the firm considers all information obtained to be personal data because there is no legal separation between the business and the personal affairs of the client.

Corporation tax advice assignments - the firm may obtain personal data concerning the directors and staff of the company.

Personal Tax - Income tax including directors’ PAYE, capital gains tax, capital acquisitions tax, and other personal tax heads. In these assignments, it is assumed that all data obtained and processed is personal data processed by the firm.

Payroll Services - the firm obtains and processes personal data concerning the directors and staff of the clients.

In all of the above assignments, the firm will obtain names, addresses, email addresses, dates of birth, salary levels and other similar information. In personal tax, extensive details of the personal financial affairs of the client are obtained. In some personal tax cases, we may obtain information regarding the state of health of the client, which may be relevant to the claiming of personal tax credits. In some cases, the firm may obtain personal data concerning persons under eighteen years who are employed by clients.

Lawful Basis

The GDPR stipulates that a firm must establish that it has a lawful basis for processing data. In relation to ‘client data’, the firm considers that the lawful bases are to meet the specific legal obligation to maintain documentation.

In all professional engagements, the firm considers that it has a legal right and obligation to maintain engagement files and correspondence files containing personal data so that it can subsequently demonstrate that it complied with its contractual obligations and that it applied due skill and care, as well as complying with other legal and professional obligations in the performance of the engagements.

It is the firm’s policy to identify and document the lawful basis for processing data at the start of the client engagement and to inform individual clients of this via a privacy notice, as an addendum to the engagement letter. Corporate clients will be required to separately sign an addendum setting out the data processing obligations of the firm and the client, as required by the GDPR. The following are the lawful bases identified by the firm for holding and processing client data:

Type of Engagement	Lawful basis for processing personal data
Accounts preparation and book keeping assignments for corporate clients	Necessary for Contract, Legal Obligation, Legitimate Interests
Accounts preparation assignments for unincorporated clients	Necessary for Contract, Legal Obligation, Legitimate Interests
Corporation tax compliance & advisory assignments	Necessary for Contract, Legal Obligation, Legitimate Interests
Personal Tax	Necessary for Contract, Legal Obligation, Legitimate Interests
Payroll Services	Necessary for Contract, Legal Obligation, Legitimate Interests

Employee Data: The firm considers that it has a legal obligation to hold personal data of employees, and that the processing of employee’s personal data is necessary to fulfil the firm’s obligations under the employment contract of each employee. The firm holds only that personal data that is necessary to hold, and for the retention periods set out in its data retention policy. This is specified in the privacy statement in the firms’ employee handbook.

Special Category Data

The firm acknowledges that personal data which reveals racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data and data concerning individuals’ sex life or orientation are considered ‘Special Category Data’ under the GDPR, and that processing such data is prohibited unless an exception applies. The firm does not intend to process Special Category Data on behalf of clients, and in any case will not do so unless an exception applies, as provided in the GDPR. Where it is necessary for the firm to process Special Category Data of an employee, the firm will do so in accordance with the employee hand book.

The firm’s status as a Data Controller or Processor

The firm acknowledges that in accordance with GDPR and the guidance of the EU Article 29 Working Party, the firm may be a data processor where a corporate client determine the purposes and means by which the firm processes personal data, and the firm is a data controller where the firm determines the purposes and means by which it processes personal data.

The firm considers that it generally acts as a controller or processor in accordance with the following table:

Type of Engagement	Controller or Processor
Accounts preparation and book keeping assignments for corporate clients	Controller
Accounts preparation assignments for unincorporated clients	Controller
Corporation tax compliance & advisory assignments	Controller
Personal Tax	Controller
Payroll Services	Controller

Contracts between data processors and data controllers

Thesaurus Software Limited

ID-Pal Limited

Google Ireland Limited

PythonAnywhere LLP

The firm has put in place written contracts with these providers, including:

The subject matter and duration of the processing;
Nature and purpose of the processing;
Type of personal data processed;
Categories of data subjects involved; and
Obligations and rights of the controller.

None of these service providers are based outside the EU. For service providers based outside the EU (such as cloud storage providers), the firm will obtain a GDPR compliance statement confirming in writing that any data transferred out of the EU, either to or by the service provider, is transferred and processed in a manner compliant with GDPR requirements.

The firm’s responsibilities when it acts as Data Controller

Where the firm acts as a Data Controller, it acknowledges that it is subject to the full scope of data protection obligations imposed by the GDPR. This includes (but is not limited to) the firm’s obligations to:

provide privacy notices to all data subjects *;
respond to subject access requests from data subjects; and
report data breaches to the Data Protection Commission

* Article 14 of the GDPR contains limited exemptions from these requirements where the firm has not collected data directly from the data subjects. This is dealt with in more detail later in this section, under Privacy statements.

The firm’s responsibilities when it acts as Data Processor

Where the firm acts as a Data Processor, it acknowledges that it is subject to certain data protection obligations imposed by the GDPR. These obligations are:

To process data only on the documented instructions from the controller (corporate client);
To take all appropriate technical and organisational measures to ensure the security of personal data;
To sub-contract only with the prior written permission of the controller;
To co-operate with the Data Protection Commission;
To conduct Data Protection Impact Assessments where required in accordance with GDPR;
To maintain records of data processing activities;
To report any data breach to the controller without undue delay; and
To comply with any additional obligations in an agreed data processing contract with the controller.

Privacy Statements

Where the firm acts as a data controller, it is the firm’s policy to ensure the information below is supplied to data subjects (including to our employees and job candidates) before their personal data is collected and processed by the firm:

The firm’s name and contact details, and the name and contact details of data protection officer (where one has been appointed);
The purpose(s) of the processing as well as the legal bases for processing;
Where the legal basis for processing is based on the firm’s legitimate interests, those legitimate interests should be identified;
The recipients or categories of recipients of personal data;
Whether the firm intends to transfer personal data to any non-EEA country and the legal basis for the transfer;
The retention period for personal data and the criteria used to determine this;
How data subjects can exercise their right of access, rectification, erasure, restriction to processing, objection to processing and data portability, if such rights apply;
How data subjects can retract their consent to processing, where the processing by the firm is based on consent;
The right to submit a complaint to the relevant Data Protection Supervisory Authority (i.e. DPC);
Whether the data subject is required to provide their personal data pursuant to statute or a contract, and the consequences of failing to provide such data; and
The existence of automated decision-making, including profiling, and the logic and consequences of the processing for the data subject.

With regard to firm employees, the firm will provide this information in the form of a notice to job candidates and a further privacy policy will be supplied to successful job applicants in the employee handbook as part of their induction to the firm.

Where the firm acts a Data Controller to a client, we will provide a copy of our privacy notice, as an appendix to our Engagement Letter with this client, thus covering our responsibilities to the client and its data subjects in this regard. The firm will also include its Privacy Notice on its website.

4. The Rights of Data Subjects

The data subjects of the firm have the following rights:

Right to be informed (see Privacy Statement under Section 5);
Right of access (see below);
Right to rectification (see below);
Right to erasure (‘right to be forgotten – see below);
Right to restrict processing (see below);
Right to object (see below);
Right to data portability (see below); and
Rights re: automated decision making and profiling.

Data Subject Access Requests (DSARs)

Data subjects have the right to make a DSAR. The DSAR may be for all personal data of that data subject held by the firm or a subset of the data. The firm must respond to the request within 1 month, unless the firm can show that the request is manifestly unfounded or excessive, or where the request is sufficiently complex or one of a number of requests (in which case the response time may be extended to 3 months). The firm does not have the right to charge a fee for processing this request, again unless the firm can show that the request is manifestly unfounded or excessive.

Any DSAR received by the firm shall immediately be referred to Andrew Doherty who is responsible for co-ordinating the firm’s response to any DSAR.

Where the firm receives a DSAR, the firm will first conduct due diligence to confirm the identity of the data subject. The firm will not comply with DSARs made by anyone other than the data subject him/herself.

Where the firm receives a DSAR, the firm will assess all data held on behalf of the individual, including data held on:

The firm’s central data server;
Laptops and personal computer in the firm;
Stored emails and other electronic messaging systems; and
Paper files.

Hard copies will be made of any documentation containing personal data of the data subject who made the DSAR.

All data relating to any individuals other than the maker of the request will be redacted. The firm will consider whether its legal and professional obligations require any data held by the firm to be kept confidential.

Records of all DSARs and response times shall be kept by the firm in a DSAR register.

Right of Erasure (Right to be Forgotten)

Data subjects have the right to request erasure of their personal data where the firm does not have a legitimate reason for retaining such data. Where the firm receives a request for erasure from a data subject, then the firm will assess all personal data held on the data subject, including data held on:

The firm’s central data server;
Laptops and personal computer in the firm;
Stored emails and other electronic messaging systems ; and
Paper files.

All personal data deemed as not held for a legitimate purpose will be deleted/destroyed in line with the firm’s policy.

Right of Rectification

Data Subjects have the right to require that their personal data be up to date and accurate. Where the firm receives a request from a data subject, the firm will verify whether the data subject’s data is up to date and accurate, and if not will make requested corrections.

Right to Restrict Processing

Where a data subject is contesting the accuracy of his/her personal data held by the firm (see right to rectification above), or is objecting to processing (see right to object below), or where the processing is unlawful, the data subject has the right to restrict processing of his/her personal data.

The firm’s policy is the follow the same procedure as a request under the Right to Erasure. It will review all data held by the firm relating to the data subject and consider whether it holds any data in excess of that needed under its legitimate purpose. It will then restrict future processing of any “excess” data in accordance with the request of the data subject.

The Right to Object to Processing

Under this right the data subject can object to the processing of his or her data. The firm’s policy is the follow the same procedure as a request under the Right to Erasure above. It will review all data held by the firm relating to the data subject and consider whether it holds/processes any data in excess of that needed under its legitimate purpose. It will cease any processing of any “excess” data in accordance with the request of the data subject.

Right to Data Portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. This means they should be able to move, copy or transfer personal data easily from one IT environment to another, and from one service provide to another, in a safe and secure way. This is an extension of the access right, and data subjects have the right to receive their data in a structured and machine-readable form.

The right to data portability applies:

to personal data an individual has provided to a controller;
where the processing is based on the individual’s consent or for the performance of a contract; and
the processing is carried out by automated means.

The firm considers that, because it does not generally process personal data by purely automated means, it does not hold data which would be subject to a data portability request.

In the event that the firm determines that it holds data relevant to a data portability request, it will review the personal data held. The firm will then determine the electronic format in which the data has been requested to be transferred, (e.g. the electronic file type). All data relating to any individuals other than the maker of the request, will be redacted. The firm will then consider whether its legal and professional obligations require any data held by the firm to be kept confidential and transfer the data deemed not subject to these restrictions to the third party (who may be another accountancy firm) as requested by the individual.

5. Data Governance

Accountability

The firm is required to be able to demonstrate compliance with each of its obligations under the GDPR. This requires that internal mechanisms and control systems are put in place to ensure compliance with the GDPR and that there is documentary evidence to prove this. This evidence may need to be produced to external stakeholders, including supervisory authorities (such as the Data Protection Commission (DPC) in the Republic of Ireland and the Information Commissioner’s Office (ICO) in the UK & Northern Ireland).

Some example policies for the firm to demonstrate GDPR compliance include through its policies addressing Data Protection Impact Statements, Privacy Notices and applying the concept of Privacy by Design, as well as Data Retention.

Data Protection Impact Assessments (DPIAs)

DPIAs are requirements under the GDPR in relation to processing activities that are likely to result in high risks to the rights of data subjects. DPIAs may be required particularly in relation to the roll-out of new technologies, such as significant new IT systems or new working practices.

It is the firm’s policy to conduct a DPIA to assess the risks that are inherent in any new proposed processing activities, which will in turn be designed to allow the firm to identify and mitigate the associated data protection risks, before we commence these new processing activities. In rollouts of new IT systems for example, all a DPIA must be completed, with satisfactory results, before processing of live data is carried out.

It is the firm’s policy to not carry out any activities that would require mandatory DPIAs, such as systematic and extensive evaluation of individuals based on automated processing (profiling), large scale processing of special categories of data and personal data relating to criminal convictions and offences, or systematic monitoring of public areas on a large scale.

Where a DPIA is required, Andrew Doherty shall be responsible for co-ordinating the DPIA within the firm. The DPIA shall include:

a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller
an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
an assessment of the risks to the rights and freedoms of data subjects;
the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this regulation, taking into account the rights and legitimate interests of data subjects and other persons concerned.

Where appropriate and practical, the firm will seek the views of data subjects or their representatives on the intended processing.

Where the DPIA indicates that the intended processing would result in a high risk in the absence of mitigating measures taken by the firm, the firm will consult with the DPC prior to beginning such processing.

Privacy by Design

It is the firm’s policy to place the protection of privacy at the centre of all decision making processes and at the start of any new service development or process development. The firm will consider both appropriate technological and organisational measures to ensure GDPR compliance in these circumstances.

If the firm is considering, for example, changes to working practices (e.g. homeworking), an office redesign or installing new technology, then means to protect the privacy of data subjects must be included in the decision making process and the rolling out of the change.

Transferring Data out of the European Economic Area (EEA)

It is the firm’s policy to not transfer any personal data outside the EEA for any purpose. This policy will be reviewed following the United Kingdom leaving the European Union.

Document Retention

Data must only be held for the purpose for which it was collected and only for ‘as long as necessary’.

The firm’s policy in relation to document retention for client data

The firm has a policy of retaining all documentation in relation to the following assignments for seven years from the date that the documentation was first received or created by the firm, or the completion date of the assignment. Data is also held for former clients under this policy.

Tax files – Revenue Commissioner/HMRC regulations;
Criminal cases (e.g. anti-money laundering – legal requirements & required firm policy);
Contracts – for the life of the contract; and
Employee details –statutory requirements.

It is the firm’s policy to carry out an annual review of all the data it holds and on what grounds the data is held (by category). Following on from this review, decisions must be made whether the firm continues to need the data that it holds.

The firm’s policy for holding data of former employees (following the retention period noted above) is to only hold the employee name, address and email details to enable the firm to contact the former employee, for a specific purpose (e.g. changes to a pension scheme, employment opportunity) in the future.

6. Security Controls under GDPR

Appropriate Security Controls for information

It is the firm’s policy to comply with its security obligations in relation to personal information by implementing appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are present.

These measures include:

Pseudonymisation of data where possible and practical. The GDPR distinguishes “anonymous" data, (namely, data rendered anonymous in such a manner that the individual is not identifiable), from “pseudonymisation”, which is data from which the identity of an individual is removed but it can be recovered (e.g. from a numerical identifier). For example, instead of naming particular data subjects in an audit, these could be numbered, with an associated spreadsheet held detailing the data subject name and matching numbers.
Encryption of data - all data held on laptop computers and other handheld devices is encrypted.
The ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services - the firm has a business continuity plan in place should it be the subject of a fire, flood or other severe operational shock.
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident - this is also covered in the firm’s business continuity plan.
A process for regularly testing, accessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing - it is the firm’s policy to test this on a regular basis (i.e. once every 6 months at least)

Security Policy

Under GDPR, all organisations must have a security policy, with the following topics included in our firm’s policy:

Security Objectives and Scope;
Management Intent;
Security Principles, Standards and Compliance requirements at your firm;
Roles and Responsibilities for Security Management;
Asset Control;
Remote Access;
Data Backup;
CCTV( where in place); and
Overview of the Technical, Administration and Physical Safeguards in place.

Security Controls

A detailed list of examples of practical technical security measures to aid GDPR compliance at our firm include:

Ensuring that IT security is properly managed and overseen by an appropriate person in the firm with adequate support from IT professionals;
Adequate Access Control is employed, including identity and access management;
Intrusion Detection/Pretention and Data Loss Prevention Systems are put in place;
Appropriate IT education to staff is undertaken. This includes demonstration examples of data unauthorised data access and malware;
Employees and other users are required to change passwords on a regular basis;
ensuring that all computing devices such as PCs, mobile phones, and tablets are using an up-to-date operating system;
ensuring all computing devices are regularly updated with manufacturer’s software and security patches;
using antivirus software on all devices;
implementing a strong firewall;
reviewing vendor supplied software and updating default system, administrator, and root passwords and other security parameters to ensure defaults are not left in place;
ensuring data backups are taken and are stored securely in a separate location;
ensuring that data backups are periodically reviewed and tested to ensure they are functioning correctly;
ensuring that data is collected & stored securely;
ensuring that mobile devices (such as laptops and mobile phones and tablets) are encrypted;
ensuring that two-factor authentication is enabled for remote access; and
ensuring that websites have TLS (transport layer security) in place to securely collect personal data via web forms (such as for newsletter subscriptions) or on e-commerce websites.

Detailed examples of practical physical security measures employed at our firm include:

keeping offices and storage units locked;
keeping server rooms or cabinets locked;
cabling desktop machines and laptops to desks;
implementing clean desk policies;
ensuring that fire and burglar alarms are in place and that they are functioning correctly;
ensuring that ICT equipment such as hard drives and old laptops, computers and mobile devices are securely disposed of at end of life; and
having specific and adequate insurance to cover the costs of any data breaches or cybercrime.

Review of these policies, including cyber security policies and procedure, on a regular basis is advised to ensure that they are up to date and effective.

7. Data Breaches

Definition of Data Breach

The GDPR defines a “personal data breach" as:

“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".

Any suspected breach of personal data held by the firm must be immediately reported to Andrew Doherty, who shall be responsible for co-ordinating the firm’s response to the breach and any required communications with the DPC and data subjects.

All data breaches will be fully documented, as to the source of the breach, its nature, extent and the remedial action taken. Where the firm acts as controller of data, it will comply with its obligation to notify data breaches to the Data Protection Commission not later than 72 hours after having become aware of the breach.

The following are the contents of a notification breach under the GDPR to be used by the firm:

Who – categories of data subjects affected
How many – the approximate number of data subjects and data records impacted
What types – the categories of data records involved
Contact – the name and contact details of the Head of Privacy in your firm
Consequences – description of the likely consequences of this breach
Follow up – all measures taken or to be taken in relation to mitigating the breach

Firm’s obligations when acting as a processor

Where the firm acts as a Data Processor, it shall inform the relevant data controller (i.e. the corporate client). In these instances, the firm should be mindful of the potential obligation of the controller to inform to the DPC within 72 hours, and therefore these reports must be made as soon as feasibly possible and without undue delay.

Informing Data Subjects of Data Breaches

Where the firm acts as controller, it must inform the impacted data subjects if there is a high risk that they will be adversely affected by the breach. This must be done as soon as feasibly possible and without undue delay.