GDPR replaces the data protection directive of 1995, on which the current Data Protection Act is based, with the aim of strengthening data protection for all individuals within the European Union.
While it’s clear that larger accountancy practices are well advanced with their preparations, a significant percentage of smaller practices have not yet started to consider the impact of GDPR on their own organisations.
Our survey of over 100 members of the UK accountancy profession sought to establish levels of understanding and to explore the practical steps that are being put in place to prepare for GDPR.
Knowledge of GDPR
Probed on the extent of their knowledge about GDPR:
- A worrying 64% of survey respondents commented that they have only conducted basic research and appreciate the most rudimentary changes that GDPR will bring.
- An additional 22% know what GDPR stands for but have little broader understanding of the impact and potential consequences of the regulation.
- Only 14% would classify themselves as ‘knowledgeable’ about GDPR.
What data do you hold?
Accountants in practice hold a significant amount of data in their systems, in terms of their own operations and also client data, including marketing data and client records. To prepare for GDPR, they need to make sure that they can identify the personal data they hold and where it’s stored.
As well as data held in-house, most practices will use outsourcers and processors who hold data on their behalf. Accountants must make sure that their contracts with these organisations cover the requirements of GDPR and that the data is secure and held in allowable localities.
Even though carrying out a data audit and privacy impact assessment can be time consuming, this is an essential foundational step. Without putting these basic elements in place practices are unable to consider how their processes comply with the enhanced rights of individuals and governance. This is an essential part of demonstrating they have put in place policies and procedures to protect data and that those policies are enforced, monitored and regulated.
Just like any other business, practices will also be holding personal data in relation to their own organisation and people, for example partners’ financial records and HR/payroll records.
Consents and compliance
Under GDPR, accountancy practices will need to have appropriate consents, policies and procedures in place but, for an accountancy practice, this is not the only consideration. There is the added complication of dealing with a significant amount of personal data in relation to their clients for compliance and advisory services, and possibly their clients’ own employees and customers. For example, in respect of personal tax return preparation and tax planning, book-keeping services, financial accounts preparation and HR and payroll data.
Furthermore, there is the complexity of having to comply with potentially conflicting legislation. For example, if an ex-client submits a request under the right to erasure, there is likely to be data that the practice needs to retain to ensure compliance with legal and other obligations such as anti-money laundering regulations and HMRC’s requirements on document retention regarding client’s financial records and personal tax data. There’s also the integrity of the practices own financial records to consider.
The policies and processes that the practice puts in place will need to make sure that all of this is covered.
It’s clear that practices still have a lot of work to do to adequately prepare for GDPR. Those who have not yet started the journey now need to address this as a matter of urgency, otherwise they risk being totally unprepared for 25 May 2018. So if your practice hasn’t yet started its preparations, we’d encourage you to initiate these discussions as soon as possible.
Software to help accountancy practices and their clients with GDPR compliance
We’ve partnered with a leading online solutions provider to support accountancy practices and their clients in their journey to initial compliance and ongoing governance.
CCH GDPR Compliance is a cloud-based system that brings together everything you need for GDPR in one place. Simple checklists and workflows generated by the software steer you through each aspect of compliance. The system helps you log, report and manage data breaches and it allows you to update all your privacy notices from a single location.
In future articles we’ll be looking at other aspects of GDPR and providing useful guides and checklists.