Ringing in the regulatory changes with GDPR
Friday, December 15, 2017
This Christmas Day will mark the five-month countdown to adoption of the EU General Data Protection Regulation (GDPR), which comes into force on 25th May 2018. While it may not be one to mull over during the forthcoming festivities, it is a topic that needs to be addressed in the New Year for practices with any gaps in their knowledge, or without adequate strategies in place for compliance.
In the UK, it will be the Data Protection Bill that turns GDPR into law and, regardless of Brexit, we are expected to keep these EU-standard regulations and potentially see the scope widen further under UK rule. It is much needed though, when you consider that the vast quantity of data collected and stored in an increasingly digital world, is currently protected by legislation that is over a decade old.
GDPR will empower individuals with greater rights over their personal data than they currently have. In broad terms, that includes being able to access, erase and move personal data – including through IP addresses, internet cookies and DNA. Individuals will have the right to ask businesses and organisations what data is holds on them, and ask for that data to be erased. It will signal the end of ‘opt-out’ or pre-selected tick boxes, often found on marketing material. And it will provide more flexibility, making it easier to move data between service providers.
Additional power is being given to the individual over how their private data exists in the world, and as a result, businesses will be held accountable for dealing with that data properly. For accountants, it means changes to how client information is handled and safeguarded; the role of being a ‘trusted advisor’ will become more literal and complex, with that trust extended to protecting sensitive data at all costs, required by law.
Firms that deal with processing any high-risk personal data will have to perform impact assessments to demonstrate that they understand and can mitigate risks. Should there be a security breach, they must notify the Information Commissioner’s Office (ICO) within 72 hours. If the breach is high risk, businesses will also be obliged to contact the individuals affected and communicate what information has been leaked and what may have been accessed as a result.
If it sounds serious, it’s because it is; the stakes have been raised by the ICO. Under GDPR, it gains new powers to carry out investigations and impose sanctions. The ICO will also be able to enter and inspect premises, undertake audits and demand standard improve. On top of this, if a fine is imposed, the ICO can insist on penalties of up to £17m or 4% of global turnover, and there is now a broader scope of criminal offences that wrongdoers can be charged with.
These rather alarming implications of data breaches assume a worst-case scenario, and there is much that can be done to ensure this is never happens. Looking at the positives; the UK’s adoption of such contemporary and comprehensive legislation can only help our business community adapt to changes in the modern world, give a consistent framework for all to adhere to, and protect personal data – the most valuable asset of all.
Where a significant step change is coming, preparation is key. If recent research is to be believed, 83% of accountants have not yet spoken to their clients about GDPR and fewer than half have even discussed the issue internally. Below we outline some pointers on how to get GDPR-ready:
There is still time to plan and prepare without panicking. If a practice has not yet done so, now is the time to review the way any client, prospective client, and employee data is obtained, managed, stored and shared, to ensure it is done so in a compliant fashion within the coming months. It is important that senior teams also understand and support any changes that need to be made, especially if involves client communications, IT, processes, or staff training. Absorb all information available before acting – and planning well in advance can only help.
Know your role
Accountants are classified as a ‘data controller and data processor’, which comes with certain responsibilities. The ICO states a data controller “must exercise control over the processing and carry data protection responsibility for it.” A data processor is, to paraphrase, someone that “processes the data on behalf of the data controller.” The ICO guidelines refer to accountants, specifically stating that: “when acting for his client, the accountant is a data controller in relation to the personal data in the accounts.”
Privacy Impact Assessments are required under certain circumstances, which means auditing how personal data is sourced and retained. It is especially pertinent to sensitive data, such as tax returns. It means understanding your practice’s own systems and processes, but also your supply chain too, such as IT providers, including cloud-based resources or back-up systems. An audit should examine what information is requested from individuals, how it is handled internally, how it is secured (and how secure that method is), whether you share it externally, how long you keep hold of it, and when and how thoroughly you get rid of it.
Forgive and forget
A major element of the GDPR is that individuals now have the ‘right to be forgotten’ and can request to have personal data held by a business permanently erased. There are obvious exceptions, where it would cross the line with other laws to delete the data, for instance failing to keep financial records for the required period. However, where there is no such legal conflict, a request to ‘be forgotten’ and withdrawing consent must be accepted, and all data must be irradiated across all platforms, from physical files to cloud storage. You must also notify other known holders of the data that consent has been withdrawn and data should be deleted.
The era of confusing tick-boxes is over; consent must now be “specific, informed, and unambiguous.” There can be no ambiguity, there should be an explanation of how the data will be handled and any third parties who will also have access to the data must be named. Also, instructions on how to revoke consent must be easily found and clear. It may be a different approach than firms are used to, but providing an ‘opt-in’ option for using personal data, with a clear explanation of your intentions, rather than an ‘opt-out’ box that is easy to miss, is the safer route.
Your marketing approach
Query your own marketing processes, reviewing the communications routes and tactics you take with existing or prospective clients. Be transparent in asking for consent to send marketing communications and ensure these only go to those who have specifically opted in. Make sure the content you send them is relevant and what they opted in to receive. Afford recipients plenty and obvious opportunity to opt out of future correspondence.
Seize the opportunity
Clients will need to understand more about these new regulations too; it impacts almost all businesses. In undertaking your own audits and improving the systems and processes in place, the learning curve will give you first-hand knowledge of the situation that clients are in, so that you can help them aim for best practice too. In the role of trusted advisor, there is a clear opportunity to offer GDPR guidance and add value.
The ICO has published a wealth of information to help guide business, including a helpful 12 step guide to preparing for 25th May. The CPAA will continue to keep you informed, but also keep in touch with peers to share experiences and advice, and lean on business groups and networks as GDPR affects all types of professions, so there will be an abundance of support around.
Granted, no accountant ever welcomes more regulations that requires time and effort to implement; but this is something designed to make everyone safer and business practices more robust in a more complex technological world. With that will come the eradication of bad habits and dubious dealings, and welcome in best practice and the potential for new opportunities.