As an accountant you may think that data protection regulations isn't your department's concern. But these regulations actually affect every department that uses an individual's data, whether it's to send marketing communications or to manage customers' payments.

If you work in practice you will keep client records; if you work in business you will manage customer records. All data relating to identifiable individuals, including financial data, is covered by the current Data protection Act 1988 but this regulation will be superseded by the General Data Protection Regulation (GDPR) on 25 May next year.

The introduction of GDPR will mean a number of changes in how businesses operating throughout the EU manage data.

What are the key points of GDPR?

Here's a summary of some of the key changes:


  • If your organisation is a public authority, processes large amounts of data or carries out large-scale monitoring of individuals then the company will need to appoint a Data Protection Officer
  • If the organisation processes high risk or sensitive data you may need to conduct a data privacy impact assessment

Consent and opt-in

  • The organisation needs to prove that it is 'lawfully processing' contact data; this 'lawful processing' needs to be documented
  • Lawful processing is likely to be either consent (the contact opting in to their data being used) or for the necessary performance of a contract. Consent is going to be the most commonly used
  • Consent must be considered 'granular', i.e. people can opt in to certain things but not others
  • With regards to existing data, the company will need to refresh consent if there is no record of it currently or where none has been gained in the past
  • There are a variety of ways you can gain consent but pre-checked boxes are no longer allowed

Individual's rights

  • Individuals have more rights under GDPR
  • Existing (but amended) rights include the right to access their data and the right to have data corrected
  • New rights include the right to be forgotten, the right to port their data to another company and the right to restrict the processing of their data for automated profiling purposes

Company policies

  • Your internal data protection policy will need updating to include all of the above
  • It also needs to include a policy of data breach detection, reporting and investigation
  • Your cookie policy needs to include any online unique identifiers used, for example Google Analytics cookies
  • Ideally, your company should map data journeys to fully understand where data goes in the company, when permission is gained and what protection exists at each stage
  • Your consent notices and privacy policy will also need updating

What should I be doing?

You should get involved in any action groups that have been set up in your organisation in order to make sure the accounting function is suitably considered in any audits and data mapping. You will also need to be aware of how any proposed changes in data policy will affect how you work with and manage data passing through your department.

Don't leave it until the last minute, get to grips with GDPR.

For more information visit the ICO website. We also have an online data protection course fully updated with GDPR >>