Accessibility links

You are using an outdated browser. Upgrade your browser today for a better experience of this site and many others.

Call 01795 428 928 - Email info@ctaccounts.com

Data Security – Data Protection Regulation - Ensuring Compliance

The General Data Protection Regulation (GDPR) requires organisations to protect the personal data of individuals.

  1. Factsheets
  2. ICT

Roles and Responsibilities

In the run up to GDPR you will have considered if you needed to formally appoint a DPO – a necessity if:

  • You are a public authority or body; or
  • Your core activities require large scale, regular and systematic monitoring of individuals; or
  • Your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.

Many organisations chose to ensure that an individual or department has responsibility for privacy activities without the need for a formal DPO appointment. Ensuring that the roles and responsibilities for data protection are well known and documented in your organisation is a key compliance requirement.

ROPA - Record of Processing Activities

Documentation of the processing activities carried out by the organisation is a requirement of Article 30 of the GDPR (both UK and EU) if your organisation has over 250 employees. It is also a requirement for smaller companies if the data you process:

  • are not occasional
  • are likely to impact the rights and freedoms of individuals; and
  • involve special category data or criminal conviction and offence data.

Your ROPA should contain a data map of your systems that contain personal data along with information on the lawful basis of processing, the purposes and methods of processing data, data sharing and data retention policies and procedures.

It is important to ensure that there are regular reviews of this documentation as updates are likely over time.

There is further guidance from the ICO on ROPA best practice.

Policies and procedures

Your policies and procedures should clearly outline roles and responsibilities in your organisation covering a number of privacy related areas:

  • Data Protection and records management
  • Information security including breaches and incident management
  • The provision of information following individual rights requests – such as subject access requests and information notices
  • Data Protection by design and default to ensure issues are considered and documented (Privacy impact assessments) when new systems, services, products and processes are implemented, or existing ones amended
  • The privacy policy on your website should be reviewed regularly and the date of last update clearly displayed

Supplier Management

It is essential that contracts are in place with organisations that process data on your behalf. Contracts should set out the details of processing including:

  • The subject matter of the processing
  • Duration of the processing
  • Nature and purpose of the processing
  • Type of personal data and categories of data subjects
  • If any sub-processors are used.

A framework of due diligence checks to ensure that these organisations are operating the appropriate technical and organisational requirements to meet GDPR is needed.

Regularly reviewing the contracts and data sharing agreements you have in place with other organisations is recommended.

Training

Making sure your staff are aware of their responsibilities with regard to processing personal data is key. Induction and refresher training should include information on data protection, potential security threats and your organisation’s information governance policies and structures. Monitoring and documenting training completion is an important element in being able to demonstrate your compliance.

Other laws and regulations

There are various other Acts and regulations in the UK which have a bearing on data security. These include:

  • Privacy and Electronic Communications Regulations (PECR) 2003 - which cover ‘spam’ and mass-marketing mailshots. Regulations under the PECR are also issued from time to time. For example, regulations on the use of cookies on websites, and in 2016 to require anyone making a marketing call to display their number
  • Copyright Design and Patents Act - amended in 2002 to cover software theft
  • There may be other IT standards and regulations applicable: for example, companies processing credit card transactions need to ensure compliance with the Payment Card Industry Data Security Standards (PCI DSS).

Sources and links

ICO home page for organisations

EU GDPR portal - www.gdpreu.org

CTA have been a massive help with our small business growth, not only have they saved us money with their advice they are also very approachable and always happy to help. We feel confident and secure using their services. We'd highly recommend them to anyone needing an accountant.

Kelly @ Enhance ICE

They have a wonderful team, and really do set your mind at ease when looking after your accounts. Notably Khush, Janet, Donna and Sandra have all been so kind and helpful. When you have CT Associates as your accountants you really feel they go out of their way to understand your business and meet your needs. I cannot recommend CT Associates enough!

Emma @ HEM Clinic

We have worked with CTA the past 8 years, the staff & in particular Khush have been really helpful in assisting us in sorting out all our accounting needs & have given us outstanding service each year we have worked together.

I have personally recommended CTA to a number of individuals & companies & would continue to do so, their friendly staff are always on hand to answer any questions we may have & always return everything on time. We are very lucky to be working with such a professional company & cannot recommend them highly enough to anyone looking for assistance with their accounts.

Scott & Craig @ Pro Soccer

Working with Khush and team at CT Associates is like a breath of fresh air. Good value service, with minimal fuss. Highly recommended.

Chris @ DDS Int.

I have used CT Associates for my business accounting for the last 8 years and have always found Khush and the team provide a high standard of service and great value for money.

Lee @ Smythe & Walter

CTA have been my accountants since I started my company and have always provided excellent advice plus a super, thorough service.

Pat @ Safety Services

The Team at CT Associates have been a great support to our business over the last 5 years. They are always at the end of the phone and very quick to respond to any queries or concerns. Everyone is very friendly, helpful and supportive - a great Team – thank you.

Sally @ Care and Choice

I approached CTA to handle our firms accountancy needs 2 years ago following a recommendation, I have always found their work excellent, they are professional, efficient and helpful and Khush offers us help and advice when we need it.

They all count in this firm 😊

I would highly recommend their services and look forward to many more years of working with them all.

Emma @ Oliver’s Personnel

CTA are awesome to work with. Khush and his team do a great job and are always accessible for advice when I need it!

Tom @ TLP

We have been with C.T. Associates since its inception 13 years ago and have never looked back.

The staff are friendly and helpful while maintaining a very professional service.

We highly recommend C.T. Associates for all of your accounting needs.

Jacqueline @ Acorn

I have been a client of CT Associates for nearly twenty years in all that time they have never let me down. They are the cornerstone of my business. Their staff are supportive, helpful and efficient. Their advice is indispensable and plays a critical part in the success of my business. I can thoroughly recommend this excellent service.

D M Averley @ Pilscare

The professional support given to me in starting up and running my companies has been excellent. I could have not asked for better customer service – thank you CT Associates.

Captain Hadnett @ Albatross Sailing & Marine Masterclass