Panicking about your practice failing to meet the GDPR deadline sounds serious, but if you stop clock-watching and take some simple steps, you’ll keep out of the regulator’s bad books
Last month we spoke to two practitionersabout their efforts to get to grips with GDPR. Now, with the 25 May ‘deadline’ upon us, we cover the accounting experts’ take on how you can achieve compliance.
In this issue, we round up the wealth of material provided by the UK’s two largest accounting Institutes, the ACCA and ICAEW, and speak to Amanda Watts about GDPR from a marketing perspective – dispelling myths about sending those dreaded ‘re-subscribe’ emails.
AdvanceTrack MD Vipul Sheth talks about the work being undertaken to ensure GDPR compliance.
Let’s start at the beginning: what are the key aspects of GDPR that will likely impact an accounting practice? The ACCA’s ‘How to Prepare’ two-part documentoutlines common actions that practitioners should be taking, along with a discussion about the most common GDPR concepts. We’ll focus on the first part.
The Institute states that GDPR “is not a departure” from current data protection rules in the UK, but more of an “expansion”.
GDPR is about the management and protection of personal data. It applies to controllers and processors of such data:
- a controller is a person who decides how and why personal data is processed.
- a processor is a person acting on a controller’s behalf. GDPR introduced new requirements in relation to processors. Processors have to maintain data processing records, document under which lawful basis they process data and inform data controller in case of a breach.
Accountants, suggests the ACCA, are ‘usually’ data controllers. There are several key areas where accountants collate personal data, store it and share it. This will include marketing campaigns; details being left with the firm by prospective clients; engagement letters; setting up standing orders; carrying out anti-money laundering checks; involving a third party to carry out money laundering checks; and submitting tax returns.
The controllers will have to demonstrate internal policies and controls in place and applied consistently. This will include documentary evidence kept and made available to the Information Commissioner’s Office (ICO) and regulators when required.
While the ICO has created a ‘12 steps to prepare’ overview guidance, the ACCA created a list of what it believes will be most relevant to practitioners.
First, ‘awareness’. Undertake training for yourself and staff – and be prepared to repeat this every two years and document your actions.
Second, plan an internal data audit. This is about reviewing and documenting what information is held, where it’s held, where it came from, how it was obtained and whether it’s up-to-date and correct.
Consent to process the data is required, and must be in a GDPR-compliant format. Consent should be reiterated where documentary evidence doesn’t exist.
Examples of the types of detail that need to be documented to demonstrate your compliance are provided by the ACCA. This includes policies followed to ensure data processing is lawful; policies on how data is stored, used and protected (in a GDPR compliant manner); policies relating to the management of privacy; subjects’ access request response procedures (referring to the new 30-day deadline to respond to someone regarding their data); procedure to detect, investigate and act on data breaches; how to manage data in times of organisation change; vetting third-party data processors; and IT security maintenance procedures.
For privacy communication and GDPR compliance notices, the ACCA suggests accountants consider updating engagement letters and creating personal data consent/opt-in forms. Other issues referred to above, such as subjects’ access rights and data breaches may require you to create draft templates. Also, attain and retain documentary evidence of third-party providers’ efforts to be GDPR compliant.
Lastly, the ACCA says practices must assess and understand their IT security. This will include consideration of passwords, data back-up, secure networks and encryption. Privacy notices will also be required in communication footers such as marketing emails and website landing pages.
The ACCA also has a series of GDPR-focused webinars you can view.
The ICAEW has, like the ACCA, pulled together a fantastic resource of material for the accounting community, including sample wordings for engagement lettersand GDPR checklists. Another of these resources is an FAQ, based on a whopping 94 questions received by the Institute during its ‘GDPR: You Questions Answered’ webinar on 23 January 2018. The answers were provided by the Institute’s Jane Berney and Mark Taylor.
Question:Would all email need to be encrypted when sent from a firm to its clients when it concerns services provided ie. an email asking for some information for a tax return?
Answer from ICAEW (abridged):The GDPR advocates a risk-based approach when considering security and privacy…encryption is not mandated but can be viewed as part of the overall security system…consider encrypting any attachments before sending an email. Many compression tools have encryption features. Similarly files shared using portal like software or on-line file sharing services should also be encrypted before being shared.
Q:We have users who store years’ worth of emails in their inbox. This very likely includes personal information on ex-clients or even potential clients that never became clients. Should we be going through these and deleting?
A:We would recommend deletion as best practice as you should only retain data (in whatever form) for as long as necessary. We would also recommend that you set a policy for the retention of emails.
Q: Should new engagement letters be issued to all (existing and new) clients?
A:Post-25 May 2018 engagement letters should refer to the GDPR as the applicable legislation (and the new DPA 2018 once it comes into force) not the DPA 1998 and explain how you will be complying with them. This could be sent, however, as an addendum to an existing letter once the GDPR and DPA 2018 come into force.
Q:Is the cloud a problem if server not in EU/EEA?
A:Yes – the cloud provider will still need to comply with the GDPR if processing the personal data of EU data subjects.
For more visit ICAEW.com/GDPR
Marketing lists… don’t panic!
A key area of focus, stress and confusion for accountants has been in an area that can be difficult to manage at the best of times: their marketing contact lists.
For Amanda Watts, an accountancy marketing coach, there’s no point panicking about a lack of plan and potential non-compliance. “It’s too late!” she says. What the regulators will want to see is that you’ve at least begun the planning process. But where to start? First, Watts suggests practitioners approach their third-party services providers who will hold or process details of their clients – and ask them for their GDPR and compliance details. These will need to be kept on file.
On the marketing lists, a key concern has been about getting everyone to ‘opt back in’ to receiving your material. However, “that’s not going to work because if someone has signed up to your newsletter already then they’re [likely to be] GDPR compliant anyway”.
Problems will occur where practitioners have acquired or leased data lists. See the main article for some guidance.
As for being fined, Watts believes that e-marketing third party providers will be more concerned about who you’re targeting. In other words, if they receive lots of bounce-back emails from your lists, they may say ‘stop sending rubbish on our platform’. “It’s not about the multi-million pound fines… it’s the platforms that will stop it,” Watts says. “So stop the rubbish going out to the audience. Quality will have to go up, and so business will fly.”