GDPR readiness plan: 5 steps for accountants to help clients

It’s only a matter of weeks before the General Data Protection Regulation (GDPR) comes into force. On 25 May 2018, your accountancy practice will need to be GDPR compliant. As an accountant, your clients may also turn to you for advice on preparing for the new legislation. A GDPR readiness plan can help.

Small and medium-sized businesses will be focusing on running and growing their firms and a part of that involves them relying on their network for guidance. As an accountant, you’ll play a key role in this, which is why offering the necessary advice on the GDPR will be vital for them.

To assist your clients in their GDPR preparations, you will need to go through a few steps to determine what they need to do and how you can help them.

By using a GDPR readiness plan, you can work with your clients to help them take the actionable steps required to make sure they are compliant. However, there’s also a benefit for your practice in this too: the plan will help you to identify opportunities to offer additional services to your clients.

Follow these steps to create GDPR readiness plans for your clients and it’s worth working closely with them to implement the plans within their businesses.

1. Ask questions

Start by finding out what your clients know about GDPR – have they heard of the legislation? Are they starting to put plans in place to be compliant? Have they heard about the GDPR but are ignoring it as they want to focus on building their businesses? Or do they know exactly what they are doing but need some help to be fully prepared?

Once you know the answers to these questions, you can start to build a plan. Other questions worth asking include the following:

• Have you mapped out the processes across your business that will involve personal information?

• How is data stored at your business – what is digital and what is hard copy?

• Who has access to the data that is stored at your business?

• How will you make sure all employees are aware of GDPR and can comply with it?

• How will you make sure your suppliers are compliant with GDPR?

2. Determine the goals of the GDPR readiness plan

Use the answers that you’ve obtained from the questions asked with your clients on where they are with their GDPR preparations to build the goals for the plan.

For example, you might find that your client is close to being ready for the GDPR but needs help with an awareness campaign for their employees, so they know about the legislation and what it means for their roles.

By taking this step, you will also determine which aspects of the GDPR matter most to their business. Remember, this isn’t a simple box-ticking exercise – it needs to be focused to draw clarity on any GDPR privacy risks that your clients may face.

3. Create a data strategy

This is a really important step as it will help your clients to understand the types of data they need to hold, who it’s about, how it will be processed in a way that is GDPR compliant and the necessary investment to make sure it’s possible to deliver on this strategy.

4. Determine the outcomes of the GDPR readiness plan

To be GDPR compliant, a data protection solution needs to be appropriate for an individual business. That means the solution for one business is likely to be different for another. By determining the necessary outcomes, you can help your clients with what they need to do.

There are some key focus areas that need to be considered here:

• Governance: Understand what personal data clients hold and how they plan to manage it.

• Individual rights: Be clear on what individuals can request and what they have rights over. Set up your processes accordingly to handle these requests.

• Breach reporting: Put in place robust incident management procedures to be compliant with the GDPR requirement for reporting data breaches to the regulator within 72 hours.

• Reliance on third parties: Data controllers need to understand how their supply chain handles data. The necessary contracts with appropriate clauses, retention periods and audit trails must be in place in time for GDPR enforcement.

• Training: Identify what level of training your clients’ employees will require to understand the requirements of the GDPR. HR and marketing departments are two areas of a business that may have more exposure to personal data, so employees working within them might need more training and support.

5. Put the GDPR readiness plan into play

Once you and your clients have their GDPR plans in place, the most important step is to carry them out. GDPR compliance doesn’t simply require that your clients are ready for the date the legislation comes into force, it also means they must be able to demonstrate how their business is collecting, using, retaining, disclosing and destroying personal data in line with the requirements.

Your clients will find their working processes are likely to change in order to be compliant and this is something that needs to be sustained. To make sure they are in line with what’s required of them, they will need:

• A clear, documented, risk management framework

• Personal data to be kept up to date and accessible in response to data subject requests

• To define roles and responsibilities for data privacy – this must be audited regularly

• To create policies, processes and procedures that are well managed and fit for purpose

• Transparency with third parties relating to what they’re doing with the company’s data

Final thoughts

By taking the time to go through a GDPR plan for your clients, they will be clearer in what they need to do to be ready for the legislation coming into force and can take the necessary steps to change their data processes.

And remember, as an accountancy firm, if your business hasn’t taken these steps yet, it’s worth beginning the process now to prepare for the GDPR.