Making a date with GDPR: your timeline for 2018


There’s nothing quite like the feeling of having a new diary; full of the possibility of new encounters, clients, challenges and adventures. For the majority of those back to work now, those spotless blank pages for 2018 are filling up fast! It’s time to add in crucial calendar dates; the ones you simply can’t afford to ignore, like the introduction of GDPR this Spring.


Having been waiting in the wings, this is the year GDPR finally replaces the Data Protection Act. It’s a massive shake-up that will see individuals gain greater rights over their personal data than they have now. It means work to do for accountants; changing how client information is handled and safeguarded.


The Keytime team has pulled together a handy timeline to go in your 2018 diary, to ensure you stay a step ahead during the coming months:



Assign a data protection lead to be the champion of data protection within the practice. This month they need to get up to speed with the role and new requirements:

  • They need training to ensure they understand the regulations
  • They must communicate this to staff in their practice
  • They need the authority to make changes and advise the managers to implement change
  • This is an education and awareness role, they cannot make the practice compliant on their own - it is the responsibility of everyone who deals with personal data.



Train staff to raise awareness because data protection is the responsibility of everyone in the practice. All staff need to be trained on the principles of data protection, the concepts of individuals rights and how the practice is protecting client data. They also need to understand how to respond if a ‘data breach’ occurs.



It’s time to audit existing processes. Determine how data is used, handled and shared within the practice and with clients. Privacy by Design means implementing appropriate technical and organisational measures to carry out data protection principles in an effective manner and to integrate the necessary safeguards. It is a key element of GDPR; do the processes employed in the practice support this?


In your diary for this month, make a note of the type of questions you should be able to answer at this stage:

  • Are passwords secure?
  • Do policies exist to correctly identify callers?
  • Is there a process to prevent incorrectly sharing information with the wrong clients?



Create an action plan. After the audit is complete resolve any short comings to ensure GDPR compliance. Once policies are defined they need to be documented, shared with staff and become the new ‘Business as Usual’. It’s good practice to keep your clients aware of the progress you have made.


Check this month that you have shared:

  • Practice data protection policy
  • An updated engagement letter.



The big day has arrived, and you should be ready: GDPR comes into force on 25th May. There’s no avoiding it and there will be no hiding from it: penalties for breach of rules up to 4% turnover or €20m – whichever is higher. If you need more help, the Information Commissioner’s Office has a wealth of information at  including a 12 step guide to preparing for 25th May.


Even if your 2018 diary is still relatively pristine, we hope you’ll choose to include this timeline as a starting point for being prepared for the months ahead. This also marks the start of Keytime’s blogs this year; but given what a transformation to compliance GDPR is, expect more from us as we share information and give practical guidance to help you along.