GDPR FAQs for Chartered Tax Advisers (CTA)

  1. What is the General Data Protection Regulation (GDPR)?
    GDPR came into effect on 25 May 2018 and will harmonise data protection laws across Europe. The GDPR regulates the processing by an individual, a company or an organisation of personal data relating to individuals in the EU.

  2. What is Personal Data?
    Personal data means “any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."

  3. What Personal Data might CTAs hold? 

    • Basic: name, address and date of birth

    • AML (Anti-Money Laundering): passport and utility bill

    • Financial: PPS number, statement of affairs, tax returns, bank accounts for individuals

    • Health: previous and current illnesses and/or medical conditions

    • Other: a person’s family details, beneficiaries, insurance details

    • Employees: information about staff members

  4. Do I Need to Determine if I am a Controller, Processor or Joint Controller?
    You must determine this from the outset as it will determine your obligations under GDPR.

  5. What is a Controller?
    A controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Most CTA practices will be controllers in respect of their clients’ (as well as employees’) data. However, they will be processors where they process personal data on behalf of another company. In both instances they will be subject to certain data protection obligations and responsibilities.

  6. What is a Processor?
    A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

  7. What is a Joint Controller?
    In cases where two or more or more controllers jointly determine the purposes and means of processing, the companies will be regarded as joint data controllers.

  8. What is Processing?
    Processing covers a wide range of operations performed on personal data, including by manual or automated means. It includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.

  9. What Data can CTAs Process and Under Which Conditions?
    The type and amount of personal data you may process depends on the reason you are processing it (ie. the legal basis) and what you want to do with it. You must respect several key rules, including:

    • personal data must be processed in a lawful and transparent manner, ensuring fairness towards the individuals whose personal data you’re processing (‘lawfulness, fairness and transparency’).

    • you must have specific purposes for processing the data and you must indicate those purposes to individuals when collecting their personal data. You cannot simply collect personal data for undefined purposes (‘purpose limitation’).

    • you must collect and process only the personal data that is necessary to fulfil that purpose (‘data minimisation’).

    • you must ensure the personal data is accurate and up-to-date, having regard to the purposes for which it is processed, and correct it if not (‘accuracy’).

    • you cannot further use the personal data for other purposes that are not compatible with the original purpose of collection.

    • you must ensure that personal data is stored for no longer than necessary for the purposes for which it was collected (‘storage limitation’).

    • you must install appropriate technical and organisational safeguards that ensure the security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technology (‘integrity and confidentiality’).

  10. What is the Legal Basis for Processing Data?
    A controller may process personal data only when there exists a valid legal basis to perform such processing. Examples of a legal basis include (but are not limited to): having the consent of the data subject; where the processing is necessary for the performance of a contract; or where the processing is necessary for the legitimate interests pursued by the controller. Legally, a controller needs at least one legal basis for carrying out the processing of personal data.CTAs should look at the various types of data processing they carry out, identify the legal basis for carrying it out and document it in a Data Retention Policy. This is particularly important where consent is relied upon as the sole legal basis for processing data. Under the GDPR, individuals will have a stronger right to have their data deleted where customer consent is the only justification for processing. CTAs will have to explain the legal basis for processing personal data in their privacy policy and when it answers a subject access request.

  11. Do I Need to Update my Letter of Engagement?
    Depending on the terms of the data protection clause in the LOE, it will most likely be necessary to update the LOE.CTAs may consider referring to the privacy policy in their LOE and attaching the policy as a schedule to the LOE. It is not recommended to embed the policy in the body of the text of the LOE as this is unlikely to be considered appropriate for the GDPR notification standards. Also, CTAs may need to update the policy from time to time and it may be convenient to do so without amending the entire terms of the LOE.Furthermore, a data processing agreement (see Article 28 of GDPR) may also be required where the CTA is processing personal data on behalf of a client.

  12. Do I Need to Update my Data Privacy Policy?
    Yes because additional requirements and information need to be complied under GDPR. For example, privacy policies should be in clear and in plain language. Your policy should be concise, intelligent, transparent and made easily accessible to data subjects (such as internal employees, external clients and, where appropriate, the public). Articles 13 and 14 of GDPR set out the information that must be provided to data subjects where their data is obtained:

    • Identity and contact details of the controller as well as the contact details of its data protection officer where applicable

    • The type of data you hold

    • How personal data (including special categories of personal data) is collected?

    • How personal data (including special categories of personal data) is used?

    • The purpose for collecting and processing data

    • Lawful basis for the processing

    • The recipients of the data

    • Whether data will be transferred outside the jurisdiction

    • Whether automated decision–making is used

    • Whether the data subject must provide the data

    • Data security

    • Data retention

    • The individuals’ rights of access, correction, erasure, restriction, objection to processing, data portability as well as their right to withdraw consent and to lodge a complaint with the local data protection office

    13. What About Revenue Audits?
    Revenue audits seek assurances that a business has filed true and correct tax returns based on the information contained in their underlying records. Some of this information may contain personal data, and a client may ask for advice about providing this to Revenue. The position under GDPR is that personal data can be processed and disclosed when it is done in compliance with a legal obligation to which the client is subject. Furthermore, under the Data Protection Act (signed 24 May), the rights of individuals are restricted to the extent that they are necessary and proportionate
    (i) the prevention, detection, investigation and prosecution of criminal offences and the execution of criminal penalties or
    (ii) for the administration of any tax, duty or other money due or owing to the State or a local authority in any case in which the non-application of the restrictions concerned would be likely to prejudice the aforementioned administration