What does the GDPR mean for accountants?
With the General Data Protection Regulation (GDPR) arriving at our doorstep next week, many companies are frantically making last minute preparations to ensure compliance.
The new regulation aims to harmonize data privacy laws across Europe, strengthening the protection of the data. GDPR imposes stringent rules and responsibilities on any global company that handles the data of EU citizens.
Accountants should be particularly concerned with the new regulations since dealing with a large amount of sensitive client information is the very core of their job.
There are already a number of rules and regulations that accountants should already be adhering to when it comes to handling this information. But the fast-approaching regulations will modernize protections, which will, in turn, result in more stringent protections on sensitive data.
In order to give the accountancy industry a clearer idea of GDPR and what it means for them, the Institute of Chartered Accountants in England and Wales (ICAEW) have published “GDPR for accountants: your questions answered“.
Here is an overview of some of the key questions answered:
Does the GDPR still apply to just personal data?
According to ICAEW, the answer to this is yes. Just as before, personal data refers to data which relates to a living individual who can be identified from the data or “other information which is in the possession of or is likely to come into the possession of, the data controller.”
Are there any changes to what’s included as personal data since GDPR?
In order to reflect changes in technology, GDPR has added to the type of data that can identify a “living individual”. As well as name, address, and date of birth, it also includes IP addresses, location data, and cookie identifiers as well as generic data. Additionally, GDPR covers both paper and electronic data.
Accountants and accountancy firms process two different types of personal data:
- Client data: Personal data received from clients in relation to professional engagements and practice.
- Firm data: Personal data held by a firm in relation to its own management, employees, and affairs.
What type of processing does GDPR apply to?
According to ICAEW, GDPR applies to both manual and digital processing.
Manual and paper records are included in GDPR if they are part of a ‘relevant filing system’ i.e papers stored systematically in a filing cabinet are included but ad hoc paper files are not.
“Members should ensure that they apply the same levels of diligence to paper records as they do digital records and that any decisions made regarding the lawful basis for processing, adhering to data protection principles and upholding data subjects’ rights include paper records,” notes ICAEW.
GDPR adds the “accountability” factor to data protection
It seems that the main difference from the Data Protection Act (DPA) to the GDPR is the added component of accountability. This refers to the need for accountancy firms to demonstrate compliance with the principles of GDPR.
Internal mechanisms and control systems must be in place to ensure compliance- as well as evidence to prove this. This evidence is important as external stakeholders such as supervisory authorities may require you to show- and if you fail to do this you could be hit with a potentially hefty fine.
Therefore, in order to comply, your accountancy firm must have written policies and procedures listed in a Data Protection Policy along with training sessions given to all staff to ensure understanding.
It is also advised for your firm to demonstrate the suitability of your systems. For instance, the National Cyber Security Centre’s “Cyber Essentials” helps you to guard against common cyber threats and demonstrate your commitment to securing your systems.
How will GDPR impact the rights of your clients?
The GDPR regulations have enhanced the rights of individuals whose data is held. As such, your accountancy firm must be aware of these and set up policies and procedures to facilitate them. The rights now consist of:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Rights re: automated decision making and profiling
While these rights require processes to be in place to ensure they are met, the ICEAW explains that not all the rights are absolute. According to the “GDPR for accountants: Your questions answered” document, in some cases, you may take a risk-based approach. This will involve making the decision not to have certain rights if it is unlikely that a client will ask you to enforce them.
“For accountancy practices, we believe this is most likely in regard to the new rights regarding automated decision making and profiling but that all the other rights may be enforceable in certain circumstances,” outlines the document.
Are you prepared for GDPR?
With the GDPR deadlines looming, businesses everywhere are reaching for the panic button.
While the new regulations require a lot of preparation and hard-work, GDPR should be seen as an advantage for both the clients whose data will be more strictly protected and for the accountants themselves.
GDPR offers accountancy firms the opportunity to show clients their ability to securely hold and process their information in line with data regulations. This shows that the protection of client data is a priority for your practice and as a result, clients will be more inclined to trust you with their business and personal data.
You can view the full set of questions answered by ICEAW here.
31 March 2020