Security of Client Data held outside the UK

What can we do - to satisfy the client who asks, and our regulators when they visit?

Didn't find your answer?

A client wants a cashflow by Friday - I connect a forecasting app to his data in Quickbooks online...

As a small accounting practice, we are anticipating our next Practice Assurance visit, and looking at the Cyber Essentials scheme and the incoming General Data Protection Regulation. 

The privacy statements of our software suppliers describe the data they collect, which seems to include everything possible.  

Client asks "Where is my data stored?  How do you know it's safe?"
Quickbooks seems to originate from the USA, Xero from New Zealand (but stores its data in the USA), Taxfiler is based in the UK but says it transfers data outside the EEA (but doesn't say where), Futrli says data is held in the UK but may be accessed by people outside the EEA, and so it goes on.  In other words, our data could be anywhere.

Many of these softwares are based in the USA.  In Quickbooks' privacy narrative it says they are part of the Privacy Shield scheme.  Intuit is listed in the Privacy Shield website too - excellent - but we couldn't find any of the other cloud softwares above listed there.

The guidance in ICAEW Tech 05/14 refers to Safe Harbor, which has been superseded by Privacy Shield.  Other suggestions (Encrypt email attachments, Clear desk policy) seem somewhat disconnected when the bulk of data-sharing is likely to happen through cloud-based softwares for accounts, tax, forecasting, payroll, practice management, and so on.

Client asks "Is there a backup?"
Most of our client data could soon reside with these cloud-based suppliers.  Suppose that our direct debit fails because a major bank crashes for a few days (remember...?)  

They might try the direct debit again, but there's little contractual assurance in the supplier's T&Cs that we will find our data still available.  The main incentive for them keeping the data until we can regain access to it is probably our future remittances.  We might be happy to pay an advance deposit in return for a guarantee of (say) retrieve-only access to data for a year should our subscription stop, but I've not seen anything like that offered.

Yes, we could print a PDF of the audit trail, but to do this individually for every client, and again for the tax software, and then the forecasting software, and...   every month...  really?

I cannot see any quick way of backing up client data. 

Client says "I didn't give you permission to send my data to someone else..."
If we connect Quickbooks Online to an App, there is an authorisation to the effect that any data passed from QBO to the App provider will be treated under the respective companies' privacy policies.  I need to contact my client for permission to share their data in this way.  They will ask me some questions, and so I research the privacy statement of the App supplier concerned.  I email this to my client and ask if he's OK with this, and usually that's fine.  All the same, I wouldn't like to have that question asked of me if I hadn't done it beforehand.

I can't think of any practical way to cover this except through the Engagement Letter, and use some generic permission about third-party suppliers - as they do.

All this seems quite patchy.  What do you guys do - to satisfy the client who asks, and our regulators when they visit?

 

Replies (0)

Please login or register to join the discussion.

There are currently no replies, be the first to post a reply.