General Data Protection Regulation
Significant changes to European data protection law come into force from 25th May 2018.
Fawcetts has carried out a review of these regulations and would like to take this opportunity to clarify our role under GDPR in the context or the services we provide to our clients.
Data Controllers and Processors
The GDPR defines a controller and processor as follows:-
- Controller – Article 4(7) defines a controller as ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data’.
- Processor – Article 4(8) defines a processor as ‘the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’.
Guidance from the Information Commissioners Office (ICO) states that ‘accountants and similar providers of professional services work under a range of professional obligations which oblige them to take responsibility for the personal data they process and in doing so they will always be acting as the data controller’.
Our obligations as a data controller
As independent controllers, we do not propose to amend our contractual arrangements with you at this time. However, in-line with our obligations under GDPR, we are taking steps to ensure that we:
- Process personal data fairly, transparently and on lawful grounds.
- Process personal data only for the purpose for which it was collected.
- Ensure that the personal data is adequate, relevant and limited to what is necessary.
- Implement appropriate technical, organisational and security measures.
- Practice data protection by design and default.
- Ensure personal data is adequately protected if it is transferred to destinations outside the European Economic Area.
- Only share personal data where we need to and have included this information in our Privacy Notice.
- Retain personal data only for as long as is necessary.
- Honour individuals’ rights.
Our updated Terms & Conditions as well as our Privacy Notice will be on our web site before 25th May.
If you have any questions regarding this statement or our personal data handling practices, please contact our Privacy Controller at firstname.lastname@example.org .