The General Data Protection Regulation (GDPR) is a gamechanger for everyone. From May 25 2018, all businesses will be being held accountable for how they handle their data. While on the surface some businesses may think they handle their data effectively, the regulation also extends to the data they hold for their clients, and in the case of accountants, their client’s suppliers and customers.
What is GDPR?
The key aim of GDPR is to ensure that citizens have control over their personal data. This regulation acknowledges that huge volumes of sensitive data are being created, searched and stored and consumers have the right to understand how this information is being used by businesses. While this sounds like it may impact giants like Tesco and Amazon, who have huge customer databases, accountants need to get to grips with the rules before 2018 because they also store sensitive information on their clients, including payroll and bank account information.
So with less than a year to go – where do you begin?
Reassessing your data security to avoid a breach
To ensure that the data you hold for your clients is secure and compliant, assess your level of password security and confirm that all devices have encryption software installed (in line with the requirements of the Information Commissioner’s Office (ICO)). Additionally, make sure you do your due diligence before selecting a provider to back-up your data and securely encrypt any personal data before sending onto a client. A great way of doing this is using a document portal for sign-off of accounts and audits and for clients to submit personal data, invoices and receipts.
It’s also important to ensure you have a rigorous procedure in place.Employing a data protection officer could provide a central point of contact to report any data breaches to, and they would be able notify relevant parties in a timely manner.
Determining key IT functionality required to meet GDPR requirements
When someone asks for their data to be deleted, it’s not as simple as hitting a button. Care needs to be taken to ensure that a process is in place that also guarantees its removal from back-ups and cloud storage. Consider how many different places and systems your data is stored in and ensure that a defined process is in place to handle any data removal requests.
What about US global businesses?
With the elimination of SafeHarbour, accountants using US software will need to ensure that their cloud data is being stored within the European Economic Area (EEA). Many tech firms are starting to move their US servers to EU data centres to comply with this regulation.
CaseWare’s cloud data is held by Amazon’s AWS Servers, using their EU based servers. Both the current data and all backup and archived information is retained in this geographical region.
We would recommend including confirmation of where your client data is stored from the outset in your initial engagement letter with a customer, to ensure your policies on data handling are explicit.
A change in rules, but not in approach
With the EU proposing a fine of €20m or 4% of global turnover if a business doesn’t comply, accountants, and many businesses, cannot take this rule change lightly. With cyber-attacks on the increase and posing a serious threat to economic productivity, leaving data unprotected is not an option. The good news is that good data handling and adhering to strict processes is another day in the office for an accountant, so it’s a prime opportunity to show clients your value.