GDPR Guidelines That Every Accounting Firm Should Know
With increasing amounts of personal data being accessed and stored, there have rightfully been concerns about the threat of privacy being breached and data being misused. In the wake of these concerns, the EU has laid down specific guidelines for use of personal data under the General Data Protection Regime (GDPR). The GDPR is an overhaul of the previous Data Protection Act 1998, but with more stringent instructions and greater measures for accountability. Any organisation that collects or acquires personal data in the EU is required to adhere to the GDPR guidelines. It covers both data stored physically in paper form as well as electronically. Because of the nature of accounting work and the volumes of private data dealt with, accounting firms will be one of the most impacted by these new GDPR guidelines and will need to take steps to improve cybersecurity.
Here is a GDPR summary of the key points that accounting firms should be aware of.
GDPR sensitive personal data definition
Since the GDPR covers all firms dealing with personal data, it is important to understand what ‘personal data’ comprises in the first place. Here is a brief GDPR summary about what constitutes personal data:
- Data that can be used to identify a person such as their name, address and date of birth.
- Technological data that can be used for identification such as the IP address, cookies and location tags.
For accounting firms, personal data includes client data as well as firm data (information about employees working in the firm). Both these categories are covered by the GDPR regulations.
GDPR guidelines for data collection
To ensure compliance with the GDPR’s strict guidelines on collection and usage of private data, firms need to take the following measures:
- Individuals need to be clearly informed when you collect data from them. This also applies to any cookies you collect on your website.
- Data can be collected only after clear consent has been given. Consent under GDPR is specified as freely given and unambiguous.
- At the time of data collection, you must also provide them with details of how their data will be used. You should specify the reason you are collecting their data, how long you are going to store it and if it is going to be shared. This privacy information should be written in language that is concise and easy to understand.
- Individuals now have the ‘right to be forgotten’. They can withdraw consent, requiring an accounting firm to erase all of their data. Firms need to ensure that the data is deleted from all records, including backups and cloud storage.
- Data of clients that have left your firm should be deleted immediately. Measures should also be taken to delete all private data that is no longer essential for your firm.
Regulations for external vendors and software
Under GDPR rules, both data collectors and data processors are held accountable for data protection. So if your firm is utilising business process outsourcing or uses accounting software provided by a third-party, you need to ensure that they adhere to GDPR guidelines as well.
The GDPR checklist for data processors include:
- A record of all data processing activities needs to be maintained.
- The purpose of processing data needs to be specified and recorded.
- In the event of a breach, the data controller needs to be informed immediately.
The GDPR also specifies what should be included in a contract drawn up between a data controller and a data processor. A written agreement between both parties is mandatory and should include:
- Type of data that is processed
- Duration of the partnership
- Purpose of processing
GDPR checklist for accounting firms to ensure compliance
The GDPR guidelines lay down strict measures in the event of a breach. Firms can be fined up to 20 million euros or 4 per cent of their annual turnover (whichever is higher) if they are found to be violating the regulations. To ensure your firm is complying with the GDPR guidelines, here is a GDPR checklist you can refer to:
- Review your firm’s current processes with your legal team to identify any ‘compliance gaps’. This can help you understand what changes have to be made so you can set in place a framework to remodel procedures related to data collection, storage and usage.
- Revisit all relationships with external vendors and third party service providers to ensure that they are GDPR-compliant. Under current regulations, your firm can also be held accountable if you are dealing with a vendor who is found to be violating the guidelines.
- Work closely with your IT department to ensure that all software used is secure. They will also need to check if client data can be comprehensively deleted across all platforms if required.
- Since GDPR guidelines also cover firm data, you need to ensure transparency in the processing of all employee data. Employees also need to provide their consent before you can collect their personal data.
Reporting data protection breaches
In some cases, despite a firm’s best efforts, there might still be a security breach. With the massive GDPR fine hanging over a firm’s head in the event of a violation, they need to take quick action to ensure that they follow proper protocol is a breach is detected.
Here is a 3 point action plan which accounting firms should follow while reporting data protection breaches:
1. Identify a violation:
As soon as a breach has been detected, your firm has to conduct a complete investigation. Firms only have a window of 72 hours to collate all information about a breach and report it to authorities. Because of this, you shouldn’t waste any time in collecting the following information:
- Which individual or entity illegally gained access
- Timeline of the security breach
- Which individuals will be affected
- How is the data stolen being used
2. Inform regulatory bodies and stakeholders:
Within 72 hours of a breach taking place, an organisation should report it to their Data Protection Officer (DPO). The DPO will evaluate the extent of the breach and can help your firm decide whether or not it should be escalated to the Privacy Commission. If your firm doesn’t have a DPO, it is essential that you appoint one at the soonest. You can check the ICO website for a GDPR DPO requirement list.
Individuals whose data has been stolen should also be informed immediately. Timely action can help you avoid paying the large GDPR fine.
3. Specify preventive measures:
After a breach has taken place, firms need to put in place measures to prevent it from happening again. These measures could include migrating to a more secure software or installing behavioural analytics which can alert you to suspicious behaviour.
The introduction of the GDPR regulations should be seen as a positive initiative by both organisations and individuals. It can help increase a client’s trust in a firm and can improve transparency of processes within an organisation.
To learn more about Sundaram Business Services and how we can support your organisation, visit sundarambizserv.com