A quick-start accountants guide for GDPR

Believe it or not, it was just 100 days as of Valentine’s Day until the GDPR comes into force on 25 May 2018. You might want to use that as a milestone to measure how well your GDPR preparations are progressing.

At the Sage Sessions event in Newcastle on 20 February 2018 our panel of experts discussed GDPR for accountants and the impact it will have on your practice and clients, and how to ensure you are on track for the changes in May.

If you were unable to attend (or even if you were there), here are some notes for GDPR adoption within accountancy practices, with the following caveats. First, this is not an exclusive list and nor is it a substitute for receiving legally qualified advice or examining your own procedures and methods in depth (see the Sage Legal Disclaimer at the end of this piece).

Secondly, at the time of writing the exact impact isn’t yet known of the GDPR and accountants and bookkeepers should make sure they stay informed. For example, we lack practical examples of what agencies such as the Information Commissioner’s Office are likely to find acceptable or objectionable, and some of the wording of the GDPR legislation is open to interpretation. Therefore, what’s detailed below can only be considered educated guesses at the very best.

GDPR and accountants: software considerations

Accounting software is at the core of many firms that manage financial and personal data on behalf of their clients. Under GDPR enforcement, technical considerations must be given to how and where your selected software processes and hosts personal data, particularly if the software is cloud-based.

Accountants and bookkeepers must clarify with their IT and software providers how these systems will be compliant with GDPR. A comprehensive questionnaire/checklist will help to map dataflows and identify any vulnerabilities ahead of the GDPR compliance deadline.

This should cover everything relating to how the software interacts with personal data, including but not limited to:

• Technical specifications of the platform
• Data separation
• Use of anonymisation, pseudonymisation and encryption techniques
• Security, including considerations for mobile devices
• Data disablement
• Outsourcing/subcontracting
• Backup and disaster recovery procedures

Marketing data

Consent and legitimate interests are key considerations when assessing the use of personal data for marketing purposes. Do you have consent to contact an individual and is it for the purpose in which they have provided such consent?

Legitimate interest must be supported by a clear case for contacting an individual if outside of the reasons for why they have granted consent. For example, legitimate interests might cover informing your clients about a new service your firm offers as it is in their interest to be made aware of this information.

Prospect client details

It is common for accountancy practices to keep a record of any inbound enquiries from potential clients, typically including contact details and the nature of the enquiry. This would then drive new business initiatives with the aim of converting these prospects to clients.

Post-GDPR, firms will have to consider the lawful basis for why they need to retain this data and the agreement for how it will be used – whether this is based on consent, contract or other legitimate interest. For many accountants and bookkeepers, this will require a change in procedure that needs to be considered as part of their GDPR readiness plan.

Supplier data

While you’re thinking about how you treat the personal data of your clients and employees, let’s not forget your suppliers. It may well be that you are in receipt of personal data under this type of relationship and it requires the same level of protection as that afforded to other individuals.

Further to this, if your suppliers are required to process personal data on your behalf, don’t forget that the GDPR requires certain mandatory provisions to be incorporated into written agreements with those suppliers.

And where the situation is reversed, if you are acting as a data processor on behalf of another organisation, you can expect to be asked to enter into new processing terms too.

Staff data and recruitment

The GDPR affords greater rights to employees as data subjects. These include:

• The right to be informed, which encompasses the obligation on employers to provide transparency as to how personal data will be used.
• Data access, which encompasses subject access requests.
• Rectification of data that is inaccurate or incomplete.
• The right to be forgotten (under certain circumstances).
• Requests to block or suppress the processing of personal data.
• Data portability, which allows employees to obtain and reuse their personal data for their own purposes, such as joining another firm and asking for their personal data to be transferred.

The other significant consideration for accountancy practices relates to recruitment. Prior to GDPR enforcement, it is common practice for firms to hold on to copies of CVs once an advertised role is filled in case a candidate could be suitable for another position.

Under the GDPR, this will not be possible unless explicit consent is sought and given, in which case the data must be stored and handled in compliance with GDPR regulations.

Compliance spending

Accountancy firms should identify and plan for any costs relating to new systems, processes and resources needed to be GDPR compliant. This may include a migration from manual, hard-copy record keeping to a software solution, which would require not only investment in the system but also sufficient training for employees and clients.

Inspiring trust and confidence

Accountants are valued and trusted advisers to clients. To deliver on these expectations, there’s an incumbent need to share knowledge and advise clients appropriately on key legislation. So now is the time to analyse and understand the impact GDPR is likely to have on your practice and your clients.

Safeguarding personal data privacy rights

Safeguarding personal data under the GDPR will be much more stringent, particularly with regards to how data is captured through websites. For example, post-GDPR it must be explicitly clear when users opt-in via contact form tick boxes, and what those boxes correspond to.

Any contamination of personal data, which means an individual receives unsolicited communications for something they did not give consent for, will be reportable as a data safeguarding infringement.

Exchanging client data

Scoping and mapping not only how your practice manages personal data but also how you exchange data with clients, as a critical element of preparing for GDPR compliance. Under the GDPR, clients are entitled to audit third parties acting as data processors to ensure compliance across their supply chain.

The GDPR provides prescriptive requirements relating to the data sharing agreement between data controllers and data processors. For example, data processors are now required to:

• Maintain records of all processing activities carried out on behalf of a data controller if they employ 250 people or more; unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data or personal data relating to criminal convictions and offences.
• Obtain the data controller’s consent for the appointment of a sub-processor.
• Cooperate with the data controller in the performance of its obligations under the GDPR, including notifying the data controller of a personal data security breach without delay.

The impact this will have on accountancy firms is that clients (as data controllers) will likely want to review their current and future agreements to ensure these requirements are adhered to.

Where your firm will act as a “controller in common” with your clients, consideration should be given to the following key areas when establishing a data sharing agreement:

• Clarify the purpose of the sharing.
• State which data will be shared.
• Confirm the basis of shared data.
• Detail the limitations on recipients shared data.
• Validate data quality, security and retention.
• Verify the process for practical governance.

Sage Legal Disclaimer

The information contained here is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice. We would like to stress that there is no substitute for customers making their own detailed investigations or seeking their own legal advice if they are unsure about the implications of the GDPR on their businesses.

While we have made every effort to ensure that the information provided herein is correct and up to date, Sage makes no promises as to completeness or accuracy and the information is delivered on an “as is” basis without any warranties, express or implied.

Sage will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information.