New European data rules may seem abstract and scary to the accounting world, so Kevin Reed has spoken to two practitioners about the work their firms have been through to get to grips with GDPR
From processors to controllers, through to the right to be forgotten and data portability, the new European rules for data protection under the acronym GDPR seem more akin to a science-fiction plot than compliance.
But it is very real, and very close. From 25 May, the new rules set out to create a world in which personal data is much more rigorously controlled, protected and understood. For accounting practitioners, who handle and process reams of personal information for and on behalf of clients, it may feel more like another layer of red tape that gets in the way of performing their role.
We have spoken to two accountants about the work their practices have undertaken to get to grips with GDPR, and the upshot and ramifications of their efforts.
Donagh Waters is a partner at Dublin-based McInerney Saunders. The six-partner practice provides a range of services to clients beyond accounting audit and tax, including forensic investigation and wealth management.
What approach did your practice take to ‘dealing with’ GDPR?
The first time we became aware of it was last summer. We formed a steering committee of two partners to begin the process. We’ve always been taxed about how we manage data protection – we were conscious that in the past the way to trip up was over client money… now it’s client data. After forming the committee, the next thing was to educate ourselves. We attended lots of events. The tone set at the top is important – which is why we’ve had two partners on it. It would be easy to delegate, but we preferred partners to cascade it down the organisation.
What actions did you deem as required, and how did you then manage the project?
We were trying to understand how it applies to us. For example, in the past we’ve outsourced outside of the firm so were conscious about covering that in our engagement letters. And having that in our engagement letter we had contractual obligations in place with the outsourcer as well… The Irish Data Protection Act makes us conscious of the importance of confidentiality. With nothing in place GDPR would feel like scaling Mount Everest. I put together a ‘personal data map’. This was to look at the flow of personal data into the organisation and out – it was an interesting exercise.
Within our business it’s secure – but we found it’s more about how it comes in – do we have consent to process it? And then when it leaves to an external party such as a specialist tax expert, it’s then a question of how it is accessed. It’s important to close down any weak points around data flow; for example, a client engages you to do their payroll. But the real issue is not ‘corporate’, it’s personal data of employees and your client. So, are their employees aware their data has left their employer? We’re the data processor, not the controller. So there’s a [responsibility] on them as data controller.
What stage are you at?
From 25 May you can’t access our data apart from using an authorised device. No data will be held on the laptops, so when you use it you’re logging in through our secure portal. Data can’t be taken from it unless you had passwords to access the portal. If a laptop is stolen, we’re pretty sure there’s no data on it. Then you need to consider paper files: now our policy is they can’t be left anywhere unsecure – if taken outside the office they must be brought back that day. We’re not at the end of the journey yet.
One of the things to do is around policies and procedures and making sure they’re completely updated. Apart from that, it’s make sure agreements with staff and checklists go to all suppliers, we update contracts of employment and then finally, staff awareness and education – why we do what we do – so they can appreciate why we do it.
Did you consider the project as ‘just compliance’, or have you been able to leverage your efforts to become a better-organised practice?
It has forced us to think carefully about security and data security – it’s been a very interesting exercise. This project has touched on law, data protection and IT, and I wouldn’t hold myself to be an expert on it all! It will be difficult at the start, but [the new way of working] will become the norm. Have you used the experience to advise clients on GDPR?
Have you had requests for advice on the topic?
We feel we’re covered, but we need to [particularly] help [payroll] clients. Some clients have been proactive and sent us checklists asking us to confirm what we do. We’re updating our engagement letters, but I wonder if some clients are not actually reading it. We’ll start reminding clients of their responsibilities under GDPR to get consent.
Nick Millard is senior manager at Accounting4Everything, a small practice based in Paignton, Devon. The practice is led by James Twigger, who won Practitioner of the Year at the British Accountancy Awards 2015.
What approach did your practice take to ‘dealing with’ GDPR?
We downloaded the Information Commissioner’s Office guide to GDPR, and then we accessed the full official regulations. We did this for two reasons – so we’ve got a full copy at hand and to have both full regulations; the UK’s version includes notes and ideas. We went on a training day to provide us some more clarity and information. We got what we needed… and they’re now a client! We have seen some differences on GDPR interpretation [in our studies].
What actions did you deem as required, and how did you then manage the project?
Our first part is completed. We’ve looked at all our software and checked their data policies and privacy policies, against GDPR. Most software companies have GDPR policies in place, or are going through that process. We’re changing some software over because it wasn’t GDPR compliant. For example, we’ve gone with data portal technology that’s UK-based and compliant – it’s all encrypted. We would have done it later down the line and had been looking at it, but GDPR pushed forward the need to do it.
One of the big things has been going through systems, processes and looking at how we hold data and how we contact clients. There are ways of improving what we do using GDPR as the leverage. For example, we don’t want clients to ring us with wage receipts information – it’s difficult to take a record of the call, and it could be anyone ringing up. We’re very aware that it’s easy to hand out and discuss client information over the phone but not very safe to do that. So all [client/employee dialogue] will come through the portal, which will be up and running by the end of April.
What stage are you at?
We have a very detailed three-page data storage policy, which has all our software listed on there; what data we hold on them, the reasons behind the software; their compliance literature (with weblinks to their policy), and then how long we hold the data for. That was the first stage. I’ve also run a half-day training session for all staff.
Did you consider the project as ‘just compliance’, or have you been able to leverage your efforts to become a better-organised practice?
We’ll definitely, 100%, be a better-organised practice because of it. I don’t see it as us being bogged down – there are so many products out there to make yourself efficient. The extra bit of thought and admin [from GDPR] will be offset by providing a better service, and we can help our clients better because we have their information in one place, and know when work’s being done. Our staff can see where we are on a job or client because it’s more structured. The bits ‘in between’ such as handwritten notes and calls that haven’t been tracked – that will now be in our systems and portal. It will be a pain at the start – more work – but once we get past that there’s savings and efficiencies to be made, and a better practice for employees and clients.
