What is GDPR and why should accountants care?
Many people are worried about the General Data Protection Regulation (GDPR), but in reality, although companies do need to act on GDPR, it is not as worrisome as some have made it out to be. In simple terms, GDPR is designed to get businesses to improve the way in which they manage their data and ensure companies do not just compile data for the sake of having data. As a result, the most important thing to consider is not the legal implications, although it is important to comply, but to show why the people you have in your database are there and why you may need to contact them and have their data.
Due to the above, businesses must remove personal data from their databases and any other products or services we have their data on unless they have a contractual reason why the data is needed their e.g. they are a customer.
Businesses can also store the associated data if and when the customer or person gives them consent through a preference centre or if and when there is a legitimate interest for the individual to be contacted and thus exist in the database. Businesses can also keep analytical data and any information that can not be tracked back to an individual such as created date, their touchpoints and the company information but cannot keep email address, phone number, name or other information that could be tracked back to an individual.
In addition, businesses will want to reconsider how to manage data going forward, review their existing data and decide what data should be kept and what data you should be deleted. The best way of doing this is to list criteria that people should meet in order to remain in the database rather than criteria of why they should be removed. This way businesses can show clearly why data exists and the processes you have in place to manage data and remove unnecessary or disallowed data.
So, if it’s mainly associated with databases, why should accountants care about GDPR?
As accounting professionals, GDPR will affect the way in which you manage personal data and what client information you keep and store. The information stored should be minimal as the majority of data will be covered by contractual permissions. However, when it comes to prospective data and pipeline analysis, it is worth considering that you may have multiple contacts attached to an opportunity and that if they are planning to contact them on matters besides the opportunity you need permission from them to do so. Unless you consider it will help close the opportunity in which case they can be contacted under legitimate interest.
It is likely that you do not only store client information but that you hold personal data about your employees and personal data about individuals who work for your corporate clients. This will also need to be revised.
It is important that GDPR does not simply require you to comply; you will also need to be able to demonstrate that you have complied. This might include working out what personal data you hold, putting in place policies on how data is managed and training staff on those policies.
Overall GDPR is not something to worry about but it is something that needs to be considered and a plan to comply with the new regulations should be implemented. Ensuring the success of your businesses compliance starts with the clarity and overall consideration of your GDPR plan.
Even if you comply with current data protection legislation, chances are you do not fully comply with GDPR and you will need to take further actions and make a plan. As well as the obvious financial risk, failure to demonstrate compliance with legal requirements can affect your professional credibility. With GDPR coming into force now only months away, accountants be already taking the steps necessary to ensure that they will be compliant with GDPR then.