How can accountants prepare to comply with GDPR?
THE General Data Protection Regulation (GDPR) deadline for compliance is fast approaching. With the aim of harmonizing data privacy laws across Europe and strengthening the protection of data, GDPR imposes new requirements on companies that process and hold personal data.
When it comes to the accountancy industry, a whole lot of sensitive client information is being dealt with on a daily basis. And though there are of course already a number of rules which accountants must adhere to when it comes to handling this information, the GDPR changes will modernize protections and will result in more stringent protections on sensitive data.
To ensure accountants are ready for the changes, The Institute of Chartered Accountants in England and Wales (ICAEW) have released a document answering some of the common questions accountants have concerning GDPR.
Here is an overview of the information:
Does the GDPR still apply to just personal data?
According to ICAEW, the answer to this is yes. Just as before, personal data refers to data which relates to a living individual who can be identified from the data or “other information which is in the possession of or is likely to come into the possession of, the data controller.”
Are there any changes to what’s included as personal data since GDPR?
In order to reflect changes in technology, GDPR has added to the type of data that can identify a “living individual”. As well as name, address, and date of birth, it also includes IP addresses, location data, and cookie identifiers as well as generic data. Additionally, GDPR covers both paper and electronic data.
Accountants and accountancy firms process two different types of personal data:
- Client data: Personal data received from clients in relation to professional engagements and practice.
- Firm data: Personal data held by a firm in relation to its own management, employees, and affairs.
Does the GDPR only apply to digital processing?
According to ICAEW, manual and paper records are also included in GDPR if they are part of a ‘relevant filing system’ i.e papers stored systematically in a filing cabinet are included but ad hoc paper files are not.
“Members should ensure that they apply the same levels of diligence to paper records as they do digital records and that any decisions made regarding the lawful basis for processing, adhering to data protection principles and upholding data subjects’ rights include paper records,” notes ICAEW.
As with the Data Protection Act (DPA), the GDPR specifies that the processing of personal data must be in line with the data protection principles. According to ICAEW these have not changed- but added is the principle of accountability, which leads us to the next question:
How can I prove accountability?
The accountability principle refers to the need for companies to demonstrate compliance with the GDPR’s data protection principles.
Internal mechanisms and control systems must be put in place to ensure compliance along with evidence to prove this. This is important as it may be required to be shown to external stakeholders including supervisory authorities.
Therefore, members must have written policies and procedures set out in a Data Protection Policy with training given to all staff to ensure understanding.
Additionally, it is advised for businesses to demonstrate the suitability of their systems. Schemes such as the National Cyber Security Cente’s Cyber Essentials enable members to demonstrate the security/ suitability of their systems
How will the new rights of individuals impact my accountancy firm?
The GDPR regulations has enhanced the rights of individuals whose data is held. As such, your accountancy firm must be aware of these and set up policies and procedures to facilitate them. The rights now consist of:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Rights re: automated decision making and profiling
While these rights require processes to be in place to ensure they are met, the ICEAW explains that not all the rights are absolute. According to the “GDPR for accountants: Your questions answered” document, in some cases, you may take a risk-based approach. This will involve making the decision not to have certain rights if it is unlikely that a client will ask you to enforce them.
“For accountancy practices, we believe this is most likely in regard to the new rights regarding automated decision making and profiling but that all the other rights may be enforceable in certain circumstances,” outlines the document.
So, are you GDPR-ready?
With accountants handling a vast amount of data on a daily basis, it is vital for firms to ensure they have procedures and policies in place to meet GDPR requirements.
While this may seem like a whole lot of work, GDPR should be seen as an advantage for both the clients whose data is being held and accountants themselves.
GDPR gives accountancy firms the opportunity to showcase to clients their ability to securely hold and process their information in line with data regulations. This shows that client data is a priority for your practice and as a result, clients will be more inclined to trust you with their business and personal data.
You can view the full set of questions answered by ICEAW here.