How the New EU-Wide Law Affects Your Firm
The General Data Protection Regulation (GDPR) becomes EU law on 25 May 2018, meaning there’s a real imperative to review the ways you obtain, store and process client’s personal data.
But this imminent GDPR deadline needn’t be a reason to panic.
What’s needed is a clear plan that shows how your firm will meet the GDPR requirements. And, to help get your data ticking all the right compliance boxes, we’ve outlined the main requirements of the new law and the key actions you’ll need to take as a firm.
What is GDPR?
With so much business now carried out in the digital domain, personal data has never been as widely shared, used and stored as it is in 2018 – and that raises questions around data security.
The General Data Protection Regulation (GDPR) has been created to bring existing data protection regulations in line with the changing ways businesses use individual’s data. It’s an EU-wide law that expands on the existing Data Protection Act to harmonise individual’s data privacy laws across the EU, significantly tightening the regulations and compliance around data.
In short, GDPR is the EU’s way of giving individuals, prospects, clients, contractors and employees more control over, and better access to, their personal data.
Will My Firm Be Affected by GDPR?
On the whole, GDPR applies to companies with over 250 employees. But there are stipulations within the legislation that mean firms with less staff are almost certainly going to be required to meet the stated guidelines around data protection.
GDPR identifies both ‘controllers’ of data and ‘processors’ of data in Article 4 of the GDPR rules, with both equally liable to data subjects (that’s your clients, in plain English).
Controller = “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”
Processor = “the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”
When an accountant carries out work on a client’s behalf they’re classified as a data controller under GDPR. Your firm can also be classed as a processor, so it’s possible to be both controller and processor, depending on how your client data is stored and then processed.
In either circumstance, you’re bound by the GDPR rules and must make moves to comply with the new law.
What Do I Need to Do?
As an accountancy/bookkeeping firm, and as a data controller/processor, it’s important that you know what’s expected of the firm – and what your next steps should be to meet GDPR.
Gary Bell, partner at FLB Accountants, has already started contacting their clients to spell out the high-level data protection changes that will be needed, as he outlines:
“The protection of client data is of paramount importance to us, and for this reason we’re making a number of changes internally to protect the data we hold. We’ll also be changing the way we exchange sensitive data with clients to enhance our processes.”
Penalties for non-compliance by firms could be significant – €20M or 4% of company turnover. But knowing exactly what’s required can be a challenge, given the open-ended nature of some of the Information Commissioner’s Office (ICO) guidelines.
This lack of clarity is something that Richard Suswain, partner at Tyrrell & Company, encountered when investigating GDPR for their firm.
“From the GDPR guidelines that I’ve read, certain areas seem a little ambiguous. It all comes down to how you choose, as an accountant, to interpret the legislation, so it seems like further guidance from the ICO needs to follow. Some of the best guidance is coming from the ICAEW where the institute is more specific around what accountants should be doing to comply with GDPR.”
And although that 25th May deadline is coming around fast, what’s important is to have planned ahead for GDPR and to be working towards making your data processes compliant.
“There is a lot of concern about meeting the 25th May 2018 deadline for GDPR, but the important thing at this stage is to have a plan in place for getting compliant and to start documenting, for instance, where and why you’re holding personal data. Firms are trying to get engagement letters out there with new terms and privacy policies, but if you look at the institutes – whether it’s the CIOT, the ACA or the ICAEW – none of them will have new engagement letter templates or guidance ready until Summer 2018.
So let’s not panic about GDPR, let’s use it as an opportunity to review your processes and the way you handle personal data and to make sure you’ve got a clear plan. For me, the important thing at the moment is to document what you’re doing around data flows and protection and to start taking action.”
10 Key Steps for Your Firm to Action
With the May 2018 deadline getting ever closer, now’s the time to get your plan in place and to start getting ready for the GDPR changes. So, if you’ve not already started your GDPR compliance processes, what are the key things you’ll need to do as a firm?
Here are 10 fundamental steps for your firm to action:
- Audit and document your data flows – map all personal client data that comes into (and out of) the firm. And note down where that data is stored, who can access it and whether there’s any potential risk element to that data source.
- Update engagement letters and client communications – you’ll need to revise your engagement letters in line with your institute’s new guidance. This will also mean updating your privacy policies and any GDPR-related agreements with clients around data protection and consent to be contacted electronically by the firm.
- Encrypt your devices and servers – making your IT hardware secure is a key element to get right. If you’re a Windows 10 user, you automatically have a tool called BitLocker which provides a simple way to encrypt your PC – and Mac users have access to third-party encryption tools that do the same job. You also need to make sure the servers you’re using are encrypted too, making your hardware storage as secure as possible.
- Review how you transmit client data – look at the ways you’re transmitting client information from your laptops or PCs. That means looking at email encryption and how you share information with clients, or moving this process to a document-sharing portal to remove the need for attachments in emails etc.
- Clean up existing client data – only store the data you need for engagement and compliance purposes. If you’re holding out-of-date or unnecessary personal data, now is a good time to delete this and clear down your systems.
- Use 2-factor authentication for cloud apps – with your cloud apps and solutions, it’s vital to know where the data is stored and to ensure you have 2-factor authentication (2FA) enabled for these apps. Security encryption tools like Authanvil or Okta sit across all your systems, allowing you to assign 2FA policies, single sign-ons and bring-your-own-device policies for staff to all the cloud apps you’re using in the firm.
- Train staff on good data practices – your whole practice should be up to speed on best practice when it comes to managing data, but GDPR provides an incentive to get formal training in place and to enhance your staff’s understanding of data security.
- New contracts for all employees – whether you run your HR in-house or have outsourced to a third party, you’ll need to update your employment contracts to cover privacy and employment data under GDPR.
- Appoint a Data Protection Officer – If your firm has over 250 employees, you’re legally bound to appoint a Data Protection Officer, but there’s value to defining this role whatever size your firm – giving you a senior person to oversee the whole process and ensure the firm’s compliance.
- Have a clear plan in place – get your GDPR compliance plan in place as a matter of urgency, so you can clearly demonstrate that you’re taking action.
By taking clear, decisive action now, keeping your firm compliant with the GDPR legislation needn’t be a headache. It’s a great chance to review your data processes, educate your staff and enhance the overall security of the practice – while ticking the right compliance boxes.
There’s more guidance on meeting your GDPR requirements on the ICAEW website.
How Boma Protects Your Personal Data
Boma abides by strict privacy rules governing the use of your data including your client details. For GDPR we are well advanced in our preparations for the introduction of the new regulations on the 25th May and we'll be posting an update to our blog on this topic in the coming weeks.