Panicking about your practice failing to meet the GDPR deadline sounds serious, but if you stop clock-watching and take some simple steps, you’ll keep out of the regulator’s bad books

Last month we spoke to two practitionersabout their efforts to get to grips with GDPR. Now, with the 25 May ‘deadline’ upon us, we cover the accounting experts’ take on how you can achieve compliance.

In this issue, we round up the wealth of material provided by the UK’s two largest accounting Institutes, the ACCA and ICAEW, and speak to Amanda Watts about GDPR from a marketing perspective – dispelling myths about sending those dreaded ‘re-subscribe’ emails.

AdvanceTrack MD Vipul Sheth talks about the work being undertaken to ensure GDPR compliance.

 

ACCA

Let’s start at the beginning: what are the key aspects of GDPR that will likely impact an accounting practice? The ACCA’s ‘How to Prepare’ two-part documentoutlines common actions that practitioners should be taking, along with a discussion about the most common GDPR concepts. We’ll focus on the first part.

The Institute states that GDPR “is not a departure” from current data protection rules in the UK, but more of an “expansion”.

GDPR is about the management and protection of personal data. It applies to controllers and processors of such data:

  • a controller is a person who decides how and why personal data is processed.
  • a processor is a person acting on a controller’s behalf. GDPR introduced new requirements in relation to processors. Processors have to maintain data processing records, document under which lawful basis they process data and inform data controller in case of a breach.

Accountants, suggests the ACCA, are ‘usually’ data controllers. There are several key areas where accountants collate personal data, store it and share it. This will include marketing campaigns; details being left with the firm by prospective clients; engagement letters; setting up standing orders; carrying out anti-money laundering checks; involving a third party to carry out money laundering checks; and submitting tax returns.

The controllers will have to demonstrate internal policies and controls in place and applied consistently. This will include documentary evidence kept and made available to the Information Commissioner’s Office (ICO) and regulators when required.

 

Action points

While the ICO has created a ‘12 steps to prepare’ overview guidance, the ACCA created a list of what it believes will be most relevant to practitioners.

First, ‘awareness’. Undertake training for yourself and staff – and be prepared to repeat this every two years and document your actions.

Second, plan an internal data audit. This is about reviewing and documenting what information is held, where it’s held, where it came from, how it was obtained and whether it’s up-to-date and correct.

Consent to process the data is required, and must be in a GDPR-compliant format. Consent should be reiterated where documentary evidence doesn’t exist.

Examples of the types of detail that need to be documented to demonstrate your compliance are provided by the ACCA. This includes policies followed to ensure data processing is lawful; policies on how data is stored, used and protected (in a GDPR compliant manner); policies relating to the management of privacy; subjects’ access request response procedures (referring to the new 30-day deadline to respond to someone regarding their data); procedure to detect, investigate and act on data breaches; how to manage data in times of organisation change; vetting third-party data processors; and IT security maintenance procedures.

For privacy communication and GDPR compliance notices, the ACCA suggests accountants consider updating engagement letters and creating personal data consent/opt-in forms. Other issues referred to above, such as subjects’ access rights and data breaches may require you to create draft templates. Also, attain and retain documentary evidence of third-party providers’ efforts to be GDPR compliant.

Lastly, the ACCA says practices must assess and understand their IT security. This will include consideration of passwords, data back-up, secure networks and encryption. Privacy notices will also be required in communication footers such as marketing emails and website landing pages.

The ACCA also has a series of GDPR-focused webinars you can view.

 

ICAEW

The ICAEW has, like the ACCA, pulled together a fantastic resource of material for the accounting community, including sample wordings for engagement lettersand GDPR checklists. Another of these resources is an FAQ, based on a whopping 94 questions received by the Institute during its ‘GDPR: You Questions Answered’ webinar on 23 January 2018. The answers were provided by the Institute’s Jane Berney and Mark Taylor.

 

Question:Would all email need to be encrypted when sent from a firm to its clients when it concerns services provided ie. an email asking for some information for a tax return?

Answer from ICAEW (abridged):The GDPR advocates a risk-based approach when considering security and privacy…encryption is not mandated but can be viewed as part of the overall security system…consider encrypting any attachments before sending an email. Many compression tools have encryption features. Similarly files shared using portal like software or on-line file sharing services should also be encrypted before being shared.

Q:We have users who store years’ worth of emails in their inbox. This very likely includes personal information on ex-clients or even potential clients that never became clients. Should we be going through these and deleting?

A:We would recommend deletion as best practice as you should only retain data (in whatever form) for as long as necessary. We would also recommend that you set a policy for the retention of emails.

 

Q: Should new engagement letters be issued to all (existing and new) clients?

A:Post-25 May 2018 engagement letters should refer to the GDPR as the applicable legislation (and the new DPA 2018 once it comes into force) not the DPA 1998 and explain how you will be complying with them. This could be sent, however, as an addendum to an existing letter once the GDPR and DPA 2018 come into force.

 

Q:Is the cloud a problem if server not in EU/EEA?

A:Yes – the cloud provider will still need to comply with the GDPR if processing the personal data of EU data subjects.

For more visit ICAEW.com/GDPR

 

Marketing lists… don’t panic!

A key area of focus, stress and confusion for accountants has been in an area that can be difficult to manage at the best of times: their marketing contact lists.

For Amanda Watts, an accountancy marketing coach, there’s no point panicking about a lack of plan and potential non-compliance. “It’s too late!” she says. What the regulators will want to see is that you’ve at least begun the planning process. But where to start? First, Watts suggests practitioners approach their third-party services providers who will hold or process details of their clients – and ask them for their GDPR and compliance details. These will need to be kept on file.

On the marketing lists, a key concern has been about getting everyone to ‘opt back in’ to receiving your material. However, “that’s not going to work because if someone has signed up to your newsletter already then they’re [likely to be] GDPR compliant anyway”.

Problems will occur where practitioners have acquired or leased data lists. See the main article for some guidance.

As for being fined, Watts believes that e-marketing third party providers will be more concerned about who you’re targeting. In other words, if they receive lots of bounce-back emails from your lists, they may say ‘stop sending rubbish on our platform’. “It’s not about the multi-million pound fines… it’s the platforms that will stop it,” Watts says. “So stop the rubbish going out to the audience. Quality will have to go up, and so business will fly.”

New European data rules may seem abstract and scary to the accounting world, so Kevin Reed has spoken to two practitioners about the work their firms have been through to get to grips with GDPR

From processors to controllers, through to the right to be forgotten and data portability, the new European rules for data protection under the acronym GDPR seem more akin to a science-fiction plot than compliance.

But it is very real, and very close. From 25 May, the new rules set out to create a world in which personal data is much more rigorously controlled, protected and understood. For accounting practitioners, who handle and process reams of personal information for and on behalf of clients, it may feel more like another layer of red tape that gets in the way of performing their role.

We have spoken to two accountants about the work their practices have undertaken to get to grips with GDPR, and the upshot and ramifications of their efforts.

Donagh Waters is a partner at Dublin-based McInerney Saunders. The six-partner practice provides a range of services to clients beyond accounting audit and tax, including forensic investigation and wealth management.

What approach did your practice take to ‘dealing with’ GDPR?

The first time we became aware of it was last summer. We formed a steering committee of two partners to begin the process. We’ve always been taxed about how we manage data protection – we were conscious that in the past the way to trip up was over client money… now it’s client data. After forming the committee, the next thing was to educate ourselves. We attended lots of events. The tone set at the top is important – which is why we’ve had two partners on it. It would be easy to delegate, but we preferred partners to cascade it down the organisation.

What actions did you deem as required, and how did you then manage the project?

We were trying to understand how it applies to us. For example, in the past we’ve outsourced outside of the firm so were conscious about covering that in our engagement letters. And having that in our engagement letter we had contractual obligations in place with the outsourcer as well… The Irish Data Protection Act makes us conscious of the importance of confidentiality. With nothing in place GDPR would feel like scaling Mount Everest. I put together a ‘personal data map’. This was to look at the flow of personal data into the organisation and out – it was an interesting exercise.

Within our business it’s secure – but we found it’s more about how it comes in – do we have consent to process it? And then when it leaves to an external party such as a specialist tax expert, it’s then a question of how it is accessed. It’s important to close down any weak points around data flow; for example, a client engages you to do their payroll. But the real issue is not ‘corporate’, it’s personal data of employees and your client. So, are their employees aware their data has left their employer? We’re the data processor, not the controller. So there’s a [responsibility] on them as data controller.

What stage are you at?

From 25 May you can’t access our data apart from using an authorised device. No data will be held on the laptops, so when you use it you’re logging in through our secure portal. Data can’t be taken from it unless you had passwords to access the portal. If a laptop is stolen, we’re pretty sure there’s no data on it. Then you need to consider paper files: now our policy is they can’t be left anywhere unsecure – if taken outside the office they must be brought back that day. We’re not at the end of the journey yet.

One of the things to do is around policies and procedures and making sure they’re completely updated. Apart from that, it’s make sure agreements with staff and checklists go to all suppliers, we update contracts of employment and then finally, staff awareness and education – why we do what we do – so they can appreciate why we do it.

Did you consider the project as ‘just compliance’, or have you been able to leverage your efforts to become a better-organised practice?

It has forced us to think carefully about security and data security – it’s been a very interesting exercise. This project has touched on law, data protection and IT, and I wouldn’t hold myself to be an expert on it all! It will be difficult at the start, but [the new way of working] will become the norm. Have you used the experience to advise clients on GDPR?

Have you had requests for advice on the topic?

We feel we’re covered, but we need to [particularly] help [payroll] clients. Some clients have been proactive and sent us checklists asking us to confirm what we do. We’re updating our engagement letters, but I wonder if some clients are not actually reading it. We’ll start reminding clients of their responsibilities under GDPR to get consent.


Nick Millard is senior manager at Accounting4Everything, a small practice based in Paignton, Devon. The practice is led by James Twigger, who won Practitioner of the Year at the British Accountancy Awards 2015.

What approach did your practice take to ‘dealing with’ GDPR?

We downloaded the Information Commissioner’s Office guide to GDPR, and then we accessed the full official regulations. We did this for two reasons – so we’ve got a full copy at hand and to have both full regulations; the UK’s version includes notes and ideas. We went on a training day to provide us some more clarity and information. We got what we needed… and they’re now a client! We have seen some differences on GDPR interpretation [in our studies].

What actions did you deem as required, and how did you then manage the project?

Our first part is completed. We’ve looked at all our software and checked their data policies and privacy policies, against GDPR. Most software companies have GDPR policies in place, or are going through that process. We’re changing some software over because it wasn’t GDPR compliant. For example, we’ve gone with data portal technology that’s UK-based and compliant – it’s all encrypted. We would have done it later down the line and had been looking at it, but GDPR pushed forward the need to do it.

One of the big things has been going through systems, processes and looking at how we hold data and how we contact clients. There are ways of improving what we do using GDPR as the leverage. For example, we don’t want clients to ring us with wage receipts information – it’s difficult to take a record of the call, and it could be anyone ringing up. We’re very aware that it’s easy to hand out and discuss client information over the phone but not very safe to do that. So all [client/employee dialogue] will come through the portal, which will be up and running by the end of April.

What stage are you at?

We have a very detailed three-page data storage policy, which has all our software listed on there; what data we hold on them, the reasons behind the software; their compliance literature (with weblinks to their policy), and then how long we hold the data for. That was the first stage. I’ve also run a half-day training session for all staff.

Did you consider the project as ‘just compliance’, or have you been able to leverage your efforts to become a better-organised practice?

We’ll definitely, 100%, be a better-organised practice because of it. I don’t see it as us being bogged down – there are so many products out there to make yourself efficient. The extra bit of thought and admin [from GDPR] will be offset by providing a better service, and we can help our clients better because we have their information in one place, and know when work’s being done. Our staff can see where we are on a job or client because it’s more structured. The bits ‘in between’ such as handwritten notes and calls that haven’t been tracked – that will now be in our systems and portal. It will be a pain at the start – more work – but once we get past that there’s savings and efficiencies to be made, and a better practice for employees and clients.

This will become law regardless of the UK’s continuing membership of the EU. It is also likely that to trade with individuals and organisations within the EU, post Brexit, UK businesses will need to be compliant with these regulations. The GDPR will apply in the UK from 25 May 2018.

Should we be scared by the new regulations?

With a potential fine of 4% of global turnover or €20m we need to ensure that we understand how it impacts on us as professional rms. If you outsource, you need to consider carefully if your outsourcing supplier is able to allow you to remain compliant. Article 5 of the GDPR requires that personal data shall be:

  1. processed lawfully, fairly and in a transparent manner in relation to individuals;
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods in so far as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Article 5(2) requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”

Do we know what actions to take? Let’s see what you need to know.

Data Protection Officer

Accountability is a key component of the new regulation. In certain circumstances, data controllers and processors must appoint a Data Protection Officer (“DPO”) as part of the organisation’s accountability.

The following are circumstances where an organisation needs to have a designated DPO:

  1. Processing carried out by a public authority;
  2. The core activities of the controller or processor consist of processing requires regular and systematic monitoring of data subjects on a large scale; or
  3. The core activities consist of large scale processing of special categories of data.

The DPO may be employed or on a service contract, but is required to have enough expert knowledge, dependent on the activities for which they are responsible. This DPO may act for a number of undertakings.

Territorial Reach

The GDPR also impacts on processors of data outside the EU, so this will impact on all outsourcers in popular locations outside the EU such as India. Processing activities relating to the offering of goods and services (even if free) or monitoring the behaviour of EU data subjects (within the EU). Many will need to appoint a representative in the EU.

Most outsourcers will for example, have no presence in the EU. In such circumstances, firms using a provider that is not compliant could be breaching the regulations. Companies outside the EU targeting customers within the EU will be subject to the GDPR, which is not the case currently.

The Role of the Data Processor

The GDPR requires data processors to have direct obligations for the first time. This includes an obligation to maintain a written record of processing activities carried out on behalf of the data controller, appoint a DPO where required and notify the Data Controller of a personal data breach without an undue delay. Provisions related to cross border transfers will also apply to processors.

Supply and commercial agreements will need to be reviewed to accommodate the new regulations.

Accountability

The Data Controller has onerous obligations to demonstrate compliance. This can include:

  1. Maintain documentation.
  2. Carry out a data protection impact assessment for more risky processing.
  3. Put in place data protection by design and default.

Fair Processing Notices

When personal data is obtained, the Data Controllers must provide transparent information to data subjects. Existing forms of fair processing notice will need to be reviewed as the GDPR is more detailed than currently in place. Information to be given to the data subject is more comprehensive than is currently the case (including for example, the ability to withdraw consent) and the period for which data is stored.

Data Controllers will need to provide information in a clearly accessible format in a clear way with the new GDPR obligations in mind.

Consent

It needs to be as easy for a data subject’s consent for processing to be withdrawn as it is to obtain consent. The data controller will be mandated to demonstrate that consent was given and whilst existing consents may work, they need to meet the new conditions.

There are areas concerning personal data used for direct marketing and also the age of parental consent where there is no clarity on whether the age is 16. Some member states can lower this to 13. We will look at this further in a future newsletter or on our website in the coming months.

Fines

There will be a tiered approach to the way penalties for breaches are imposed. This will enable DPAs to impose fines of up to the higher of 4% of global revenue and €20m (for example, breaching the requirements relating to international transfers or basic principles for processing, such as conditions for consent).

There are other specified infringements which attract fines up to the higher of 2% of global revenue and €10m. These fines apply to an “undertaking” and this was clarified in Articles 101 and 102 of the TFEU.

“The One-Stop Shop

A company operating in many EU countries would generally only deal with one lead DPA. There has been a degree of criticism. In order to address some of this criticism, the GDPR allows individuals to have their cases dealt with locally, with the Lead Authority and Concerned Authorities working together. It is to be hoped that when in place, that it does not lead to forum shopping.

Removing a Notification Requirement

There will no longer be a requirement for a data controller to notify or seek approval from the DPA in some circumstances. Whilst this may reduce a financial and administrative burden, this may lead to some DPAs seeking alternative funding. The policy now is for Data Controllers to put in place effective procedures and mechanisms to focus on higher risk operations
and undertake a data protection impact assessment.

This should consider severity and likelihood of risk, especially with large scale processing. A lot of effort is required and the potential fines are such, that they may outweigh the benefits. Also, a new requirement to consult the DPA in advance where the data impact assessment may indicate high risk if measures are not taken. If the DPA considered the processing may breach the GDPR, they could give written advice or use their enforcement powers may have multiple impacts, either nothing is high impact(!) If your outsourcer, for example uses e-mail and tools such as Dropbox to exchange confidential data, you may need to consider if that places your firm at risk of fines were there to then be a data breach.

European Data Protection Board (”EDPB”)

The independent EDPB will comprise of the EDP supervisor and senior representatives of the national DPAs. Its role will be to issue guidance and opinions, reporting the EU Commission and applying the GDPR consistently across the EU.

International Transfers

The way that consent is dealt with for data exporters has changed. Moving data outside the EU now requires subjects to have sufficient information on the risks of data transfer outside the EU. This, in the context of outsourcing will require you to ensure that any outsourcer has strong protocols to be able to satisfy yourself of the risks. Consider, for example if an outsourcer using e-mail or Dropbox to transfer confidential information is able to satisfy the new requirements.

Data Subjects’ Rights

The rights of individuals being strengthened was one of the main aims of this new regulation. This includes, for example, a right to require information about data being processed about then, being able to access such data in some circumstances and correction of data where incorrect. There will also be rights relating to data used for direct marketing purposes. The concept more complex requests allowing this to be extended. Clear processes will need to be in place to meet such obligations and provided free of charge unless the request is “manifestly unfounded or excessive”.

Six Things you should do now to be ready for GDPR

  1. Embrace Privacy by design -When a new process or product is deployed, ensure that privacy is embedded into the process. Considering the process early on will enable this to be both structured and validation checks to be put in place.
  2. Understand the legal basis on which you use personal data • Consider engagement letters and contracts as this may often be your form of consent
    for processing if withdrawn. The documents should demonstrate that the consent is given freely, is specific and informed and the burden of proof will be on the data controller, for example, the accounting rm. Obtain legal advice on how you would deal with any withdrawal of consent.
  3. Review your privacy notices and policies • Policies need to be transparent and easily accessible. Information provided need to be in clear and plain language.
  4. Accountability framework • Clear policies need to be in place to meet the standards.
  5. Review the data subjects’ rights • Data subjects may exercise their rights such as data portability or the right to erasure. If personal data is retained, consider what legitimate grounds there are to retain this. The burden of proof to demonstrate your legitimate grounds for retention override the interests of data subjects.
  6. Prepare for data security breaches • Clear policies and practised processes need to be in place in order to react quickly to any data breach to ensure that timely notification is made where required.