Worried about what GDPR means for accountants? Experts answer your top 11 questions
As accountants, we're no strangers to tackling complicated issues. But the questions our clients have been raising lately about GDPR have been harder to answer than our usual queries.
Throw in the assault of “sign in” emails we all received on 25th May, and we could be forgiven for our already jaded outlook on the new data protection legislation.
In an effort to keep things simple, we asked GDPR expert Ron Weatherup, Managing Director of Lugo, to give us the low down on his top frequently asked GDPR questions - and what the new law actually means for accountants and their clients.
1. In a nutshell - what is GDPR?
It replaces the 1998 Data Protection act for our current data landscape. Technology has moved on a lot in 20 years. It is aimed to protect individual's data and the way companies use it.
2. I run a small accountancy practice in Scotland. Why should I care about GDPR?
The UK have adopted GDPR and have brought in fines and criminal sanctions for those who fail to implement it. If you deal with personal data, your client will care how you manage their sensitive information. Small companies are more at threat of being breached than ever before.
3. Our practice keeps the personal data of clients both past and present, but we don’t use our lists for marketing or advertising. Do I still need to take action?
Yes, if you hold the data then you are accountable for it. You must only hold onto data that you have legitimate reason to hold onto.
4. I’m a sole practitioner and I only have a handful of clients. I’m exempt from this, right?
Afraid not - it’s not about the size of your practice but the data you hold on to. For example, if you carry out a tax return for a celebrity and the data is desirable, you must still protect it. Just because you have a small practice does not make the data you handle any less desirable.
5. I work in a small firm, and there’s only a handful of accountants and our operations team. How many of us need to be trained on handling data?
Everyone! The biggest problem we see is that because you deal with sensitive data on a daily basis you can be more blasé with it. As above, just because you deal with payroll information on a daily basis and it is normal for you to handle it doesn’t mean that it is not sensitive information that should be stored and managed correctly.
6. I’ve heard we might need a Data Protection Officer - why, and who should it be?
Might is the correct word. Even though for small practices it may not be required, it may be the moral and ethical thing to do. From a reputational stand point it would show that you take the data you deal with seriously and makes it easier for staff and clients to know who to contact in relation to data covered by GDPR.
If you register your DPO then they must comply with the duties of a DPO. We would also recommend making sure the contact details are for a group or more than one person as the timeline you must deal with matters can be strict.
7. We regularly send our clients updates by email. What changes should I have put in place - and what’s my next step?
Email was never designed to be secure, it was designed to be a cheap and quick way to communicate over the internet. If you are sending emails, then you need to make sure the email does not contain personal sensitive information. If you are sharing data governed by GDPR then make sure the data is encrypted in an online portal or an encrypted email.
None of this security is designed to make it easier to share the data in fact it is designed to make it harder to access. A bit like putting a burglar alarm on your home or gate on your driveway.
8. As an accountant I know a lot about risk assessment. But how do I apply my skills to GDPR?
The same way as you did with the DPA. The fines are frightening but you are more likely to go out of business through poor reputation if you fail to comply. Simple things like encryption can be turned on for free and if a breach was to occur it would put you in a better light with the ICO.
9. I’ve heard rumours about hefty fines. What happens if I don’t comply with the law?
Some people say it doesn’t matter if you don’t get found out, but if you are dealing with Personal Sensitive Data under GDPR and using it unlawfully, then you are likely to get reported to the ICO. We are seeing more accountants' clients asking what their data protection policies are before they appoint them.
10. We work with vendors for our IT resources, and they help us with file sharing and data encryption. How do I know if my IT vendor is GDPR compliant and what should I be looking for in an IT partner?
They need to understand what you do and how you work. It is important as a practice to be transparent with your IT provider. If you are emailing unencrypted personal sensitive information, let them know and they can help solve the problem. We work with vendors such as Microsoft, Dell, Sonicwall and other partners to help our practices comply as much as they can.
11. Ok - I’ve read everything and realise I need to make some changes. Where do I start?
GDPR covers so many things and it’s not all IT related. From an IT perspective though, we believe the government's Cyber Essentials scheme will take you through the basics and act as a good vehicle to get you and your IT provider to talk through your data security worries. Even though some things are free to 'turn on’ the time taken, and the inconvenience can be costly.
No matter how much money you spend on technology, it can only help so much. People are the weak link in the chain and training and awareness should not be overlooked!
Find out how Lugo can help you
Experts in accounting software
This blog is one of a series of articles from our commercial partners.
The views expressed are those of the author and not necessarily those of ICAS.