Sending accounts by email with GDPR

Under the GDPR requirements can a firm still send accounts/tax returns and obtain approval via email

Didn't find your answer?

Can't seem to find any clear guidance on this. 

I know a lot of people are using various cloud based approval systems, but I feel most clients will be resistant/indifferent. 

Is it now prohibited to be sending data over email?

 

 

 

Replies (12)

Please login or register to join the discussion.

avatar
By WhichTyler
30th May 2018 12:17

GDPR is about risk, not prohibition. You have to be able to show that you have appropriate measures in place. The first three items on the ICO checklist are below. So if after assessing the risk, you come to the conclusion that sending a password protected pdf by email is an appropriate measure (when compared to the alternatives, and bearing in mid the state of the art and cost/benefit), then document it in your data protection policy and move on...

☐ We undertake an analysis of the risks presented by our processing, and use this to assess the appropriate level of security we need to put in place.

☐ When deciding what measures to implement, we take account of the state of the art and costs of implementation.

☐ We have an information security policy (or equivalent) and take steps to make sure the policy is implemented.

Thanks (2)
Teignmouth
By Paul Scholes
30th May 2018 16:48

Agree with WhichTyler, it's your (and your clients') choice.

We use Iris Openspace for accounts & tax returns not so much as it's secure but because it's so much easier to get one or all interested parties to electronically approve.

When we started using it many years ago we just told all our clients that's what we were doing from then on and we never got a complaint. Sometimes you have to say to clients "this is how we do things" "end of"

Thanks (3)
Stephen Quay
By squay
05th Jun 2018 15:54

Agree with Paul Scholes. We've used Iris Openspace for many years for tax returns and accounts. In April we told all our payroll clients that we would be using it for their payroll documents as well. We continue to send the usual emails that the monthly payroll has been completed along with any notes but without attachments or personal or employees' data. These reports are uploaded to Iris Openspace. We gave clients no choice in the matter and all have accepted without criticism.

In the cases where we email payslips from the payroll direct to clients' employees these are now encrypted (which I understand is optional but I feel happier doing it this way). Again no choice and no negative feedback.

Thanks (1)
avatar
By Rose
05th Jun 2018 21:05

Can you explain how Iris opensoace work in practice? Is it similar to Dropbox? Do the receipient have to subscribe for Iris openspace too?

Thanks (1)
Replying to Rose:
avatar
By CptCave
07th Jun 2018 14:22

You as the accountant register your client for openspace, they receive an email asking them to setup a password. If they forget their password in future they can click on the forgot password link.

You can upload files direct from Iris and upload external documents. E approval is a click of a button and you and your get a notifcation when each of you uploads a document.

Works brialliantly :)

Thanks (0)
Replying to Rose:
avatar
By CptCave
07th Jun 2018 14:22

Duplicated post

Thanks (0)
Replying to Rose:
Teignmouth
By Paul Scholes
07th Jun 2018 15:53

I no longer use Iris and uploading works better for me than it did with Iris integration. There's no local sync as there is with Dropbox but you can drag & drop files from your desktop to the client's folders in the browser.

It enables single or multiple electronic approval as well as, now, formal electronic signature.

Thanks (0)
avatar
By daveb_acct
30th Aug 2018 10:15

Instead of using in-secure email, we use an online based CRM/Secure file storage system called Cloud Ark for sending accounts; indeed we perform any client communication under this system and all under GDPR guidelines.
The package allows us to also track documents, so we are notified if a client reads or e-signs a document.
Additionally, there is a secure messaging service within the portal in which we can message our clients without having to resort to email.
Our clients do seem very receptive to using this system as it allows them to keep in touch with us very easily. They also benefit from the ability to send us files/documentation (as it's two way - our clients are guested access to the portal with their own login).
The pricing model is very flexible too, may be this is another system that may be of use if you don't wish to use in-secure email or have concerns with GDPR compliance?

Cheers,
Dave

Thanks (0)
avatar
By anthony stevens
30th Nov 2018 09:09

Hi We have a client demanding we send his accounts by email. Can we say no.

Thanks (0)
avatar
By anthony stevens
30th Nov 2018 09:09

Hi We have a client demanding we send his accounts by email. Can we say no.

Thanks (0)
Replying to anthony stevens:
By Duggimon
30th Nov 2018 09:55

You can, and should, feel comfortable saying no to clients if it goes against your own beliefs and opinions.

You can also send his stuff by email, if you want to, just be able to demonstrate that you took steps to ensure any part of the responsibility for data security accruing to you was adequately discharged.

Thanks (0)
Replying to Duggimon:
By nmprobinson
04th Jan 2019 11:13

Thanks. What sort of step would that be?

Thanks (0)