Our next event

COVID-19 - an update

March 2020
View details

Our next event

COVID-19 - an update

March 2020
View details

GDPR compliance

The General Data Protection Regulation (“GDPR”) came into force on 25 May 2018, and replaced the existing data protection laws set out under the Data Protection Act 1998. The GDPR establishes a new regulatory framework for how organisations use and protect personal data.

Lovewell Blake (“LB”, “we”, “our”) actively works on its GDPR strategy, and has a project team comprised of Partners, senior managers and external advisers, who focus on implementing this strategy to assist our clients with their GDPR compliance.

We are committed to meeting the standards required under the GDPR and ensuring that we respect the personal data that our clients make available to us. We recognise that, as your accountants and business advisers, trust is one of the cornerstones of our relationship and we value the confidence that you have placed in us when you disclose your personal data.

As part of our GDPR strategy, we continue to carry out a comprehensive review of our records and systems to ensure that we have the necessary policies, procedures and technical and organisational measures in place.

This page is intended to address some of the key matters under the GDPR that apply to our relationship, and sets out what we are doing to ensure that clients can be comfortable sharing personal data with us.

LB: Data controller or data processor?
Data protection law (both the GDPR and the previous Data Protection Act 1998) sets out two key roles: data controllers and data processors.

These roles are defined as follows:
• “Data controller” is an organisation or person that determines the purposes for which and the manner in which any personal data is processed.
• “Data processor” is an organisation or person that processes the data on behalf of the data controller.

In every case, organisations will be either a data controller or a data processor (or both) when collecting and using personal data. It is often assumed that service providers (such as accountants) will always be data processors, so we have sought to clarify the position as follows:

Accountancy, tax and financial planning clients
Our clients will usually engage LB to provide accountancy, tax, financial planning and/or other associated professional services to them (whether a private or business client). Although we are providing a service to you, this does not automatically mean that we are acting as a data processor on your behalf. The Information Commissioner’s Office has made it clear that accountants are data controllers in most circumstances. The reason for this is that we are under various professional obligations (such as our overriding duty to our regulators) that go beyond our clients’ instructions. For example, in providing these services to you, we may have to use your personal data to act in accordance with our own professional obligations. On that basis, when you engage us to provide accountancy, tax and financial planning services, we will be a data controller.

Payroll clients
Alternatively, clients may also engage LB to provide payroll bureau services. In these circumstances, we will be your data processor on the basis that you have instructed us as a data controller to carry out payroll activities, and we do not have the ability to exercise any control over the personal data that you send to us. Where clients who engage us for accountancy, tax and financial planning services also use us for payroll bureau services, we will only be a data processor when we provide payroll bureau services. In all other circumstances, we will be a data controller (as set out above).

Data processing agreement
Under the GDPR, where a data processor is processing personal data on behalf of a data controller, the data controller is required to enter into a data processing agreement with the data processor. Article 28 of the GDPR also sets out what clauses need to be included in a data processing agreement. For most of our clients, as set out above, LB is not acting as a data processor, so the GDPR does not require you to enter into a data processing agreement with us.

Where we are providing payroll bureau services, we are a data processor, so the GDPR requires that you enter into a data processing agreement with us. In order to assist with your GDPR compliance, we will be circulating data processing agreements incorporating the necessary clauses (in the form of an addendum to your existing terms of business with us). We would be grateful if you can sign and return this data processing agreement, which has been prepared for your benefit. We will also be updating our terms of business for new payroll clients.

We have evaluated our policies, procedures, notices and security practices to ensure that we are accountable for the personal data we collect and process, and can demonstrate compliance with the data protection principles under the GDPR. In particular, we continue to review our data flows to fully and properly understand what personal data is being used and stored across the organisation.

We will also continue to review any third party sub-contractors that we engage as part of our services (including any software or cloud service providers), to ensure that they are acting in accordance with data protection laws. In doing so, we ensure that those sub-contractors have the appropriate technical and organisational measures in place to comply with the GDPR, so that if we share your personal data with them, you can be comfortable that they apply an appropriate degree of security to that personal data.

Finally, we have appointed a data compliance team who will take responsibility for ensuring GDPR compliance across the organisation. The data compliance team comprises of senior members of LB from all of our offices and a range of different departments, so that the team has the necessary expertise to deal with a variety of data protection matters.

For more details about our GDPR compliance or any specific data protection practices, please contact the data compliance team at privacy@lovewell-blake.co.uk.