Sayer Vincent and GDPR
What is GDPR?
The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union. The rules apply to personal data that is stored both electronically, or in paper form.
A controller determines the purposes and means of processing personal data.
A processor is responsible for processing personal data on behalf of a controller.
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified.
For engaged work personal data may relate to your staff, trustees, volunteers, beneficiaries, donors or other individuals who interact with your organisation.
Is Sayer Vincent a controller or processor under the GDPR?
As chartered accountants, Sayer Vincent is regulated by the Institute of Chartered Accountants in England and Wales and therefore has a professional obligation to take responsibility for the personal data that we process. This ensures that we are able to fulfil our legal and professional duties of reporting to HMRC, the Charity Commission, and other third parties where we are required to do so.
For this reason, we act as data controller for personal data processed as part of engaged work with our clients.
We shall each be considered an independent data controller in relation to personal data that you share with us as part of engaged work. Each of us must comply with all requirements and obligations applicable to us under the data protection legislation in respect to this personal data.
What are Sayer Vincent’s responsibilities as data controller?
We take data protection seriously and understand that our responsibilities under the GDPR include, but are not limited to:
- Ensuring that personal data is processed lawfully, fairly and in a transparent manner
- Ensuring that personal data is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- Ensuring that we only process personal data that adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- Ensuring that personal data is accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
- Ensuring that personal data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
- Ensuring that personal data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
How is Sayer Vincent ensuring compliance as a data controller under the GDPR?
- We have appointed a Data Protection Lead to ensure that we meet our responsibilities as data controller
- Our staff are trained and understand the importance and responsibility of handing personal data appropriately
- We review the types of personal data that we process and identify a lawful basis for doing so
- We encourage an approach of data minimisation, only requesting or retaining information required for the purposes of our engaged work
- We have identified retention periods for different types of personal data depending on what we are using it for
- We have ensured that we have commercially reasonable and appropriate security measures in place to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed
- We are transparent about how we use personal data.
Our privacy notice includes information about:
- How we may collect personal data
- The kind of personal information we may hold
- How we may use personal information we hold
- Data security
- Individuals’ rights
- Contact details of our Data Protection Lead
You can read the full information in our privacy notice on our website.
Our current terms and conditions for engaged work refer to us as data controller under the Data Protection Act 1998.
There is no express legal requirement to include data protection provisions in an engagement letter where the service provider and the client will each be independent data controllers, however we have updated the data protection clause in our standard terms and conditions for engaged work to confirm our responsibilities under the GDPR.
In due course we will also update our engagement letters. This will likely take place during the next cycle of engaged work with you.