Share this content
31

What are you sending via email post GDPR?

What to send and not to send?

Didn't find your answer?

Under GDPR, I am wondering what people feel is now acceptable to send via email, for example would you send an email that said, your profit is x amount and your tax is y?

Would you still ask questions about specific transactions?  Would you still send accounts, tax returns, bank statements etc?  Would you ask an employer for an NI number or Date of Birth for an employee?

Replies (31)

Please login or register to join the discussion.

Teignmouth
By Paul Scholes
24th May 2018 17:03

Yes

Thanks (1)
avatar
By atleastisoundknowledgable...
24th May 2018 18:09

Company info is ok, it’s outside the scope of GDPR.

Personal info (eg tax returns, payslips, list of unknown bank transactions for a sole trader) would be caught and not allowed. Use a client portal-esque thing to send those, there are some cheap & PAYG ones out there. You can ask for their NINO etc, it’s up to them if they send it to you by email or not. Be careful not to just reply to that email without removing the info - that would be you sending sensitive personal info over an insecure email exchange. I can see us getting caught out by doing this.

Or ignore it like Paul is, in the faith that nothing will happen to him before he retires ...

Thanks (1)
avatar
By moboffsol
24th May 2018 20:07

Can anyone recommend a cheap client portal please?

Thanks (0)
Replying to moboffsol:
avatar
By Maslins
25th May 2018 11:34

Senta. It's far more than just a client portal...but check it out, see if it looks like something your practice would benefit from.

Thanks (1)
Replying to moboffsol:
avatar
By daveb_acct
16th Aug 2018 09:23

The client portal/CRM we use is Cloud Ark (Cloud Ark Security Centre); allows us to message our clients securely within the portal environment. More than just a messaging centre though, allows us to send and receive files securely/set up events, receive notifications if documents are read/signed etc.- all this is under GDPR guidelines too, so may be that is an option worth considering for your secure email needs?

Thanks (0)
blue
By mg200
25th May 2018 06:52

There are no issues with communicating with your clients. You are doing this as part of your contract with your client and is necessary to do your job.

Thanks (0)
Replying to mg200:
avatar
By NH
25th May 2018 07:16

Not sure why you would say that - GDPR puts a duty of care on us to protect and secure personal data, sending that data in an email is one of the least secure things you could do.
No one has mentioned encrypted email?

Thanks (0)
Img
By MissAccounting
25th May 2018 08:50

Does anyone actual know for definite what you can and cant do? Was listening to someone on the radio this morning saying a lot of the experts are giving bad advice and that if you have a genuine relationship in place you are fine.

Can clients opt in to receive sensitive information via email? Who knows! Another giant mess the government has got us into!

Roll on MTD and the demise of Taxfiler just to really cement our industry!

Thanks (2)
Replying to MissAccounting:
avatar
By NH
25th May 2018 09:04

[quote=MissAccounting]

Was listening to someone on the radio this morning saying a lot of the experts are giving bad advice and that if you have a genuine relationship in place you are fine.

Yes as an example we went to a course and were told that as long as you password protect PDFs you are fine, our IT guy says anyone that can do a google search can easily break a PDF password so thats no protection at all....

Thanks (0)
Replying to MissAccounting:
a
By RichardPulseCyber
29th May 2018 10:39

A large % of the advice that was given pre-GDPR was bad and that will remain the case, most often when promoting "Consent is essential".

Thanks (0)
By ireallyshouldknowthisbut
25th May 2018 09:13

Our T&C's quite clearly state I can use email to send the clients data unless they tell me otherwise.

I would suggest people read the relevant parts of legislation, it just says you need to assess the risk of misdirection. I have done, and its low, and i have moved on....

Thanks (2)
Replying to ireallyshouldknowthisbut:
a
By RichardPulseCyber
29th May 2018 10:41

Processing of personal data will require a lawful basis (there are 6) and what you describe here is most likely "legitimate interest". If so, you still need to provide the data subject with an "opt-out" option, and will also need to carry out a thorough assessment/balancing test in each instance to ensure you are protecting the rights, freedoms and interests of the data subject.

Thanks (0)
Replying to RichardPulseCyber:
By JCresswellTax
30th May 2018 16:52

Load of [***]...won't happen.

Thanks (1)
Teignmouth
By Paul Scholes
25th May 2018 09:59

This has been done to death over previous months and so this all feels a little 31st Jan-ish.

Other than what you and/or your client/contact wants, there's nothing to stop the transmission of all that stuff by unencrypted email.

I use the secure website (Openspace) to send key stuff like Accounts, tax returns or terms of engagement but only because clients are able to electronically approve them which I feel is better than them just replying "OK" to what I email them.

I have a number of clients who work in, or have worked in, cyber security and they are fine with email and one told me that, even with security software, your local computer is the easiest route in to examine data (even if, like me, you think you are 100% cloud) and so you should encrypt the hard drives. This is a mouse click away on my Macs and is apparently quite easy on PCs.

Wish now I'd stuck with my short answer!

Thanks (2)
Teignmouth
By Paul Scholes
25th May 2018 10:06

Forgot to add - none of the above is "sensitive info" eg race, sexual orientation, ethnicity, political, etc etc - full list on ICO's website

Thanks (0)
avatar
By Maslins
25th May 2018 11:43

I feel a bit of perspective is required. There's a big difference between:

1) one email being intercepted which happens to contain a handful of bits of personal data about one client.

2) one out of your entire server/email service/cloud software bits of data being accessed inappropriately, where there's huge quantities of personal data for all your clients.

So (being a bit flippant) my view is, don't have the password for your work GMail account and Xero/FreeAgent/whatever accountant dashboard as "letmein"/"password"...but don't get panicky about the transfer of every tiny bit of data.

Thanks (2)
Replying to Maslins:
a
By RichardPulseCyber
29th May 2018 10:44

Context and perspective is important, however what you describe in point 1) is in fact a data breach under the GDPR. As such you would need to take the appropriate action, the GDPR does not focus on "volume" in any context - a breach is a breach.

Thanks (0)
Replying to RichardPulseCyber:
By JCresswellTax
30th May 2018 16:53

Who cares. Honestly. who cares.

Thanks (1)
Replying to JCresswellTax:
avatar
By NH
30th May 2018 17:17

well, I think we should care to start with, care enough about our clients to take data security very seriously, most clients I speak to do not know about the insecurity of email and while it is the most convenient option for them and us, when you explain to them what can happen they start to take it a bit more seriously.

Thanks (0)
a
By RichardPulseCyber
29th May 2018 10:37

There are 3 options to consider here, in terms of modes of contact.

1) Encryption of emails; however I`ve experienced a common theme of "a lot of our clients won`t like that, they are not tech savvy"

2) Portals; probably the best route in terms of security and the user-experience - but techno-phobes will be equally reluctant as they are to encryption

3) Physical Mail; the RM was very quick to identify that its product offered a great alternative under the GDPR, physical security of personal data within documents etc. This would probably appeal to those clients (point 1)) who are reluctant to engage with encryption or portals

Thanks (1)
avatar
By David Gordon FCCA
29th May 2018 16:53

Why are people getting their knickers in a twist?
Letters of engagement ought always to have included a permission, or not, for the use of email for any or all correspondence between client and accountant. Including that email is not 100% secure.

Thanks (0)
Replying to David Gordon FCCA:
Quack
By Constantly Confused
29th May 2018 17:00

David Gordon FCCA wrote:

Why are people getting their knickers in a twist?
Letters of engagement ought always to have included a permission, or not, for the use of email for any or all correspondence between client and accountant. Including that email is not 100% secure.

A point I've heard from a lot of places and people is that we have to send everything 'securely', regardless of everything else. So you can't send a client a letter saying 'unless you say otherwise I'm sending you unencrypted emails', nor can a client call and say 'we didn't have none of this fancy portal nonsense when I was a lad, just email me things as before'. We HAVE to send things securely, at least using encrypted emails and ideally using a portal, or we are breaching.

Or am I incorrect?

Thanks (0)
Replying to Constantly Confused:
a
By RichardPulseCyber
30th May 2018 11:09

Correct. The onus is on the data controller, even if a client (who is perhaps "technophobic") verbally "wavers" your responsibility over their data - you remain liable as the data controller and will need to report/manage the breach should it occur. I have had this conversation with several practices in recent weeks, where clients are indeed technophobes and don`t understand encryption or portals.

Thanks (0)
Replying to David Gordon FCCA:
avatar
By North East Accountant
30th May 2018 09:21

Yes we all have these clauses, hopefully.

Even though the client agrees to email (and prefers it) we are still liable to the client for any breach and must self report to ICO.

I read somewhere that even if the client suffers no loss, they are still entitled to compensation for a breach.

No doubt, in the passage of time, when some poor accountant gets taken to the cleaners, we will get an idea of precisely what we should be doing.

It's outrageous, that even though 25th May has passed there is so much confusion, and this is due to the never ending guidance changes and vagueness of the whole thing.

ICO guidance changes again;
08/02/18 Version 19 - 120 pages
20/04/18 Version 40 - 153 pages
15/05/18 Version 82 - 185 pages
29/05/18 Version 122 - 240 pages

Thanks (0)
avatar
By NH
29th May 2018 17:04

funnily enough the two times there has been a "data breach" in our firm it was because information was sent through Royal Mail to the wrong client

Thanks (0)
avatar
By PERMON
30th May 2018 09:53

I suppose a valid question is whether it was ever sensible to send certain types of data by email e.g. Would you ever have included your credit card number in an email ? I think a good way to look at email (GDPR or not) is as the equivalent of a postcard - would you send the client a postcard including details of his/her profit as per last years accounts ?

Thanks (0)
Replying to PERMON:
Teignmouth
By Paul Scholes
30th May 2018 16:41

I refer you to my first response.

I've been emailing this stuff for 20 years

Thanks (0)
Replying to Paul Scholes:
avatar
By PERMON
30th May 2018 16:57

Reminds me of a local business person who on introduction of the Euro ( and use of cheques to EU suppliers) reckoned "its easier to seek forgiveness than permission" :-)

Thanks (0)
Replying to PERMON:
a
By RichardPulseCyber
30th May 2018 17:03

Without doubt the risk of reputational damage, as an organisation who is potentially perceived as unworthy of being trusted with personal data - is not worth it. Do the right thing, GDPR is law, and look after the personal data you have been entrusted with.

Thanks (1)
Replying to RichardPulseCyber:
avatar
By North East Accountant
31st May 2018 11:44

Have you stopped using email then?

If so, what are you using as a secure means of comms?

Thanks (0)
Share this content

Related posts