Incorpro shall at all times comply with its data protection obligations under the GDPR, in keeping with the six core principles of GDPR that personal data shall be:
Based on these principles, for each piece or type of personal data we hold, the firm is able to demonstrate on demand (i.e. accountability):
In addition to the 6 core principles, the firm shall ensure that:
Training & Education
Co-ordination and Compliance
The firm has appointed Andrew Doherty as Head of Privacy. Andrew Doherty is responsible for compliance with GDPR and all personal data processing and data security within the firm.Consideration of whether the firm needs to appoint a Data Protection Officer (DPO)
The GDPR specifies that a Data Protection Officer (DPO) must be appointed when:
In view of these criteria and the firm’s activities, the firm has considered whether it is required to appoint a DPO and has decided not to appoint a DPO.
Based on our Data Map, the following are the main types of data, data subjects, types of data processing, and our status as Controller or Processor.Personal data processed by this firm
The firm process two different types of personal data: client data and firm data.
The firm holds personal data for the following categories of people (Data Subjects):
Client data processing carried out by the firmCustomer Due Diligence
For all clients, the firm is obliged to obtain Customer Due Diligence information under Anti Money Laundering legislation. This data includes copies of passports (or similar photographic ID) which record the date of birth and nationality of clients, and utility bills (or similar) which provide evidence of the home address. This is considered to be personal data.Data obtained in the provision of services
Accounts preparation and book keeping assignments for corporate clients - the firm obtains and processes personal data concerning a number of persons associated with the entity, including the directors, staff, customers, suppliers, subcontractors and other natural persons who are service providers of the client.
Accounts preparation assignments for unincorporated clients - In this case the firm considers all information obtained to be personal data because there is no legal separation between the business and the personal affairs of the client.
Corporation tax advice assignments - the firm may obtain personal data concerning the directors and staff of the company.
Personal Tax - Income tax including directors’ PAYE, capital gains tax, capital acquisitions tax, and other personal tax heads. In these assignments, it is assumed that all data obtained and processed is personal data processed by the firm.
Payroll Services - the firm obtains and processes personal data concerning the directors and staff of the clients.
In all of the above assignments, the firm will obtain names, addresses, email addresses, dates of birth, salary levels and other similar information. In personal tax, extensive details of the personal financial affairs of the client are obtained. In some personal tax cases, we may obtain information regarding the state of health of the client, which may be relevant to the claiming of personal tax credits. In some cases, the firm may obtain personal data concerning persons under eighteen years who are employed by clients.Lawful Basis
The GDPR stipulates that a firm must establish that it has a lawful basis for processing data. In relation to ‘client data’, the firm considers that the lawful bases are to meet the specific legal obligation to maintain documentation.
In all professional engagements, the firm considers that it has a legal right and obligation to maintain engagement files and correspondence files containing personal data so that it can subsequently demonstrate that it complied with its contractual obligations and that it applied due skill and care, as well as complying with other legal and professional obligations in the performance of the engagements.
It is the firm’s policy to identify and document the lawful basis for processing data at the start of the client engagement and to inform individual clients of this via a privacy notice, as an addendum to the engagement letter. Corporate clients will be required to separately sign an addendum setting out the data processing obligations of the firm and the client, as required by the GDPR. The following are the lawful bases identified by the firm for holding and processing client data:
|Type of Engagement||Lawful basis for processing personal data|
|Accounts preparation and book keeping assignments for corporate clients||Necessary for Contract, Legal Obligation, Legitimate Interests|
|Accounts preparation assignments for unincorporated clients||Necessary for Contract, Legal Obligation, Legitimate Interests|
|Corporation tax compliance & advisory assignments||Necessary for Contract, Legal Obligation, Legitimate Interests|
|Personal Tax||Necessary for Contract, Legal Obligation, Legitimate Interests|
|Payroll Services||Necessary for Contract, Legal Obligation, Legitimate Interests|
Employee Data: The firm considers that it has a legal obligation to hold personal data of employees, and that the processing of employee’s personal data is necessary to fulfil the firm’s obligations under the employment contract of each employee. The firm holds only that personal data that is necessary to hold, and for the retention periods set out in its data retention policy. This is specified in the privacy statement in the firms’ employee handbook.Special Category Data
The firm acknowledges that personal data which reveals racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data and data concerning individuals’ sex life or orientation are considered ‘Special Category Data’ under the GDPR, and that processing such data is prohibited unless an exception applies. The firm does not intend to process Special Category Data on behalf of clients, and in any case will not do so unless an exception applies, as provided in the GDPR. Where it is necessary for the firm to process Special Category Data of an employee, the firm will do so in accordance with the employee hand book.The firm’s status as a Data Controller or Processor
The firm acknowledges that in accordance with GDPR and the guidance of the EU Article 29 Working Party, the firm may be a data processor where a corporate client determine the purposes and means by which the firm processes personal data, and the firm is a data controller where the firm determines the purposes and means by which it processes personal data.
The firm considers that it generally acts as a controller or processor in accordance with the following table:
|Type of Engagement||Controller or Processor|
|Accounts preparation and book keeping assignments for corporate clients||Controller|
|Accounts preparation assignments for unincorporated clients||Controller|
|Corporation tax compliance & advisory assignments||Controller|
Thesaurus Software Limited
Google Ireland Limited
The firm has put in place written contracts with these providers, including:
None of these service providers are based outside the EU. For service providers based outside the EU (such as cloud storage providers), the firm will obtain a GDPR compliance statement confirming in writing that any data transferred out of the EU, either to or by the service provider, is transferred and processed in a manner compliant with GDPR requirements.The firm’s responsibilities when it acts as Data Controller
Where the firm acts as a Data Controller, it acknowledges that it is subject to the full scope of data protection obligations imposed by the GDPR. This includes (but is not limited to) the firm’s obligations to:
* Article 14 of the GDPR contains limited exemptions from these requirements where the firm has not collected data directly from the data subjects. This is dealt with in more detail later in this section, under Privacy statements.The firm’s responsibilities when it acts as Data Processor
Where the firm acts as a Data Processor, it acknowledges that it is subject to certain data protection obligations imposed by the GDPR. These obligations are:
Where the firm acts as a data controller, it is the firm’s policy to ensure the information below is supplied to data subjects (including to our employees and job candidates) before their personal data is collected and processed by the firm:
Where the firm acts a Data Controller to a client, we will provide a copy of our privacy notice, as an appendix to our Engagement Letter with this client, thus covering our responsibilities to the client and its data subjects in this regard. The firm will also include its Privacy Notice on its website.
The data subjects of the firm have the following rights:
Data subjects have the right to make a DSAR. The DSAR may be for all personal data of that data subject held by the firm or a subset of the data. The firm must respond to the request within 1 month, unless the firm can show that the request is manifestly unfounded or excessive, or where the request is sufficiently complex or one of a number of requests (in which case the response time may be extended to 3 months). The firm does not have the right to charge a fee for processing this request, again unless the firm can show that the request is manifestly unfounded or excessive.
Any DSAR received by the firm shall immediately be referred to Andrew Doherty who is responsible for co-ordinating the firm’s response to any DSAR.
Where the firm receives a DSAR, the firm will first conduct due diligence to confirm the identity of the data subject. The firm will not comply with DSARs made by anyone other than the data subject him/herself.
Where the firm receives a DSAR, the firm will assess all data held on behalf of the individual, including data held on:
Hard copies will be made of any documentation containing personal data of the data subject who made the DSAR.
All data relating to any individuals other than the maker of the request will be redacted. The firm will consider whether its legal and professional obligations require any data held by the firm to be kept confidential.
Records of all DSARs and response times shall be kept by the firm in a DSAR register.Right of Erasure (Right to be Forgotten)
Data subjects have the right to request erasure of their personal data where the firm does not have a legitimate reason for retaining such data. Where the firm receives a request for erasure from a data subject, then the firm will assess all personal data held on the data subject, including data held on:
All personal data deemed as not held for a legitimate purpose will be deleted/destroyed in line with the firm’s policy.Right of Rectification
Data Subjects have the right to require that their personal data be up to date and accurate. Where the firm receives a request from a data subject, the firm will verify whether the data subject’s data is up to date and accurate, and if not will make requested corrections.Right to Restrict Processing
Where a data subject is contesting the accuracy of his/her personal data held by the firm (see right to rectification above), or is objecting to processing (see right to object below), or where the processing is unlawful, the data subject has the right to restrict processing of his/her personal data.
The firm’s policy is the follow the same procedure as a request under the Right to Erasure. It will review all data held by the firm relating to the data subject and consider whether it holds any data in excess of that needed under its legitimate purpose. It will then restrict future processing of any “excess” data in accordance with the request of the data subject.The Right to Object to Processing
Under this right the data subject can object to the processing of his or her data. The firm’s policy is the follow the same procedure as a request under the Right to Erasure above. It will review all data held by the firm relating to the data subject and consider whether it holds/processes any data in excess of that needed under its legitimate purpose. It will cease any processing of any “excess” data in accordance with the request of the data subject.Right to Data Portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. This means they should be able to move, copy or transfer personal data easily from one IT environment to another, and from one service provide to another, in a safe and secure way. This is an extension of the access right, and data subjects have the right to receive their data in a structured and machine-readable form.
The right to data portability applies:
The firm considers that, because it does not generally process personal data by purely automated means, it does not hold data which would be subject to a data portability request.
In the event that the firm determines that it holds data relevant to a data portability request, it will review the personal data held. The firm will then determine the electronic format in which the data has been requested to be transferred, (e.g. the electronic file type). All data relating to any individuals other than the maker of the request, will be redacted. The firm will then consider whether its legal and professional obligations require any data held by the firm to be kept confidential and transfer the data deemed not subject to these restrictions to the third party (who may be another accountancy firm) as requested by the individual.
The firm is required to be able to demonstrate compliance with each of its obligations under the GDPR. This requires that internal mechanisms and control systems are put in place to ensure compliance with the GDPR and that there is documentary evidence to prove this. This evidence may need to be produced to external stakeholders, including supervisory authorities (such as the Data Protection Commission (DPC) in the Republic of Ireland and the Information Commissioner’s Office (ICO) in the UK & Northern Ireland).
Some example policies for the firm to demonstrate GDPR compliance include through its policies addressing Data Protection Impact Statements, Privacy Notices and applying the concept of Privacy by Design, as well as Data Retention.Data Protection Impact Assessments (DPIAs)
DPIAs are requirements under the GDPR in relation to processing activities that are likely to result in high risks to the rights of data subjects. DPIAs may be required particularly in relation to the roll-out of new technologies, such as significant new IT systems or new working practices.
It is the firm’s policy to conduct a DPIA to assess the risks that are inherent in any new proposed processing activities, which will in turn be designed to allow the firm to identify and mitigate the associated data protection risks, before we commence these new processing activities. In rollouts of new IT systems for example, all a DPIA must be completed, with satisfactory results, before processing of live data is carried out.
It is the firm’s policy to not carry out any activities that would require mandatory DPIAs, such as systematic and extensive evaluation of individuals based on automated processing (profiling), large scale processing of special categories of data and personal data relating to criminal convictions and offences, or systematic monitoring of public areas on a large scale.
Where a DPIA is required, Andrew Doherty shall be responsible for co-ordinating the DPIA within the firm. The DPIA shall include:
Where appropriate and practical, the firm will seek the views of data subjects or their representatives on the intended processing.
Where the DPIA indicates that the intended processing would result in a high risk in the absence of mitigating measures taken by the firm, the firm will consult with the DPC prior to beginning such processing.Privacy by Design
It is the firm’s policy to place the protection of privacy at the centre of all decision making processes and at the start of any new service development or process development. The firm will consider both appropriate technological and organisational measures to ensure GDPR compliance in these circumstances.
If the firm is considering, for example, changes to working practices (e.g. homeworking), an office redesign or installing new technology, then means to protect the privacy of data subjects must be included in the decision making process and the rolling out of the change.Transferring Data out of the European Economic Area (EEA)
It is the firm’s policy to not transfer any personal data outside the EEA for any purpose. This policy will be reviewed following the United Kingdom leaving the European Union.Document Retention
Data must only be held for the purpose for which it was collected and only for ‘as long as necessary’.The firm’s policy in relation to document retention for client data
The firm has a policy of retaining all documentation in relation to the following assignments for seven years from the date that the documentation was first received or created by the firm, or the completion date of the assignment. Data is also held for former clients under this policy.
It is the firm’s policy to carry out an annual review of all the data it holds and on what grounds the data is held (by category). Following on from this review, decisions must be made whether the firm continues to need the data that it holds.
The firm’s policy for holding data of former employees (following the retention period noted above) is to only hold the employee name, address and email details to enable the firm to contact the former employee, for a specific purpose (e.g. changes to a pension scheme, employment opportunity) in the future.
It is the firm’s policy to comply with its security obligations in relation to personal information by implementing appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are present.
These measures include:
Under GDPR, all organisations must have a security policy, with the following topics included in our firm’s policy:
A detailed list of examples of practical technical security measures to aid GDPR compliance at our firm include:
Detailed examples of practical physical security measures employed at our firm include:
Review of these policies, including cyber security policies and procedure, on a regular basis is advised to ensure that they are up to date and effective.
The GDPR defines a “personal data breach" as:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".Any suspected breach of personal data held by the firm must be immediately reported to Andrew Doherty, who shall be responsible for co-ordinating the firm’s response to the breach and any required communications with the DPC and data subjects.
All data breaches will be fully documented, as to the source of the breach, its nature, extent and the remedial action taken. Where the firm acts as controller of data, it will comply with its obligation to notify data breaches to the Data Protection Commission not later than 72 hours after having become aware of the breach.The following are the contents of a notification breach under the GDPR to be used by the firm:
Where the firm acts as a Data Processor, it shall inform the relevant data controller (i.e. the corporate client). In these instances, the firm should be mindful of the potential obligation of the controller to inform to the DPC within 72 hours, and therefore these reports must be made as soon as feasibly possible and without undue delay.Informing Data Subjects of Data Breaches
Where the firm acts as controller, it must inform the impacted data subjects if there is a high risk that they will be adversely affected by the breach. This must be done as soon as feasibly possible and without undue delay.