GDPR compliance for accountancy business
Assign topic to the user
Answer:
Based on the description provided the accounting company only acts as processor on behalf of sole traders and other limited companies.
If we are considering sole traders which are in fact natural persons (data subjects) the EU GDPR would be applicable and the documents found in the EU GDPR Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ would be useful. For example, data breaches should be notified, according to their severity, to the Supervisory Authority and to the data subjects themselves (the sole traders).
As for the limited companies the situation might differ depending on the type of activities provided by the accounting company. If we are talking about general ledger type activities, s uch as tax calculations, filing tax reports which do not involve personal data the EU GDPR is not applicable. However, if other accounting activities such as payroll for the limited companies employees or calculating tax deductions for employees, are delivered, this would mean that the EU GDPR would be applicable.
As a general remark, due to the fact that the accounting company has only one employee, there may not necessarily be a need to have procedures or complex processes set up in place. For example EU GDPR article 30 requirements (Records of processing activities) are not compulsory for companies under 250 employees which includes accounting companies (although it would be helpful to have it) and the Data Protection Impact Assessments will most likely not be necessary.
Nevertheless the only employee of the accounting company should be informed about the main GDPR provisions - especially the ones referring to personal data breaches and the use of sub-processors (if the accounting company outsources part of its activities to third parties). All relevant information can be found within the EU GDPR implementation toolkit.
Comment as guest or Sign in
Nov 20, 2017