Practice Editor AccountingWEB
Share this content

Self assessment: Will GDPR cause busy season headaches?

30th Nov 2018
Practice Editor AccountingWEB
Share this content
Employees carry documents between offices

Just when you think you’re on top of your GDPR compliance, along comes another data hurdle that could chain accountants to their desk during the calendar’s busiest period.

It’s par for the course that come December/January long hours are non-negotiable if accountancy firms want to get their clients over the January 31st tax return line. For some accountants, the option to work extra hours from home makes the busy season a little more palatable. Plus, it means work gets done, returns are filed on time and staff can enjoy extra pay.

But in this data-sensitive time, confusion over GDPR guidance and clients’ records are causing bigger tax season headaches than the classic carrier bag overflowing with receipts.

In particular, does the GDPR guidance permit staff to take paper records out of the office or on a data stick? Suddenly, the once carefree action of leaving client’s paperwork in the car now becomes a risk management concern under the ICO’s data regulation.  

Raising this issue on Any Answers, AcountingWEB regular Kevin Ringer said he’s leafed through ACCA and ICAEW guidance but hasn’t found a definitive answer.  

In past tax seasons, Ringer’s staff took their clients’ paper records home and worked on spreadsheets via USB sticks. But this May’s still-indeterminable GDPR regulation has thrown some doubt on whether this yearly work routine is still doable and adheres to the regulation.

As always when it comes to GDPR, Ringer is mulling over a number of questions, including whether the data must be encrypted, should they use something like Dropbox to synch the data between their work and home PC, or can they even email data between their work and home email?

Risk management

The Any Answers consensus agreed that the onus is on the practice to fill the lack of guidance with their own robust policy. AccountingWEB member Klandrews recommended Ringer approached this quandary from the position of what could go wrong? Treat the scenario like a risk management exercise.

And this, the AccountingWEB member said, is a key part of GDPR: write things down.

AccountingWEB approached Annabel Kaye, who alongside being the director of employment specialists Irenicon, has become an authoritative voice in GDPR. Echoing the Any Answers responses, Kaye emphasised that GDPR requires personal data to be adequately secured and the employer should make a data privacy impact assessment and set out rules on working with paper and taking paperwork home.

“It would be most unwise to take the only paper copy of anything around since if the briefcase is lost there is no way to replace the material. The loss of paperwork is still a GDPR breach with all the attendant need to report and notify.”

Kaye said this would normally includes locking papers into a lockable briefcase, never leaving them unattended (ie in the back of a car), or unattended at home if other people are in the home.

AccountingWEB member Mbee1 takes the same precautions. “When I leave my home study desk, I log out my laptop in case anyone comes into the study including my wife and other visitors. Any paper documents have to be locked away but, as we're virtually paperless, there isn't much around and anything that is I shred.”

Inspired by the actions of his local school where Mbee1 serves as a school governor, the AccountingWEB member's GDPR policy even outlaws memory sticks.

Carrying data on a USB stick

However, as Duggimon pointed out, a USB stick ban may not be entirely necessary as “an encrypted USB stick is as secure as a password protected laptop”.

Kaye, too, advises against USBs unless they’re encrypted. While GDPR does not prohibit much, she warned that password protection is not enough.  

“If you lose an unencrypted USB you have to report it to the ICO. Whilst encryption is not compulsory, the pain of reporting to each individual customer and the ICO about the loss of a USB should make it not ‘merely’ good practise but the minimum sensible way to carry on.”

The search for incredibly secure portable drives and USB sticks has led some AccountingWEB members like Youngloch to invest in expensive solutions.

The member described the storage device they’ve settled on as something lifted from an Ian Fleming novel, with long codes to even wake it up and an in-built self destruct mechanism that destroys the data if anyone tries to prise the hard drive case open.

“If I left a drive on a train I could sleep easy knowing that the data could not be accessed – albeit I'd be annoyed because the drives aren't cheap to replace.”

Sending data from work to home

Setting up a VPN could also be a tech solution that will enable staff to work at home and still access office software, and might even preclude the need for a memory stick. “We've done it for years and there is nothing I can't do from home,” said Mbee1, who visits the office once a week.

Kaye backed the VPN option, which “ensures other household members or hackers with access created by your kids lovely games cannot see the data that passes through your householder router”.

This, she said, is a much more secure option than relying on your home Wi-Fi which you may share with children or guests. Even worse, though, is using free email accounts to share data between work and home.

“There is no legitimate reason for anyone to share data outside of the corporate emails, even if it is ‘with themselves’,” she said. “Sending data from work to home is sharing data with a third party (unless you are a sole practitioner with sole access to both!).” 

The other option would be Dropbox, but again, Kaye recommended this business account over the personal Dropbox, which does not have the full functionality you would need to safeguard against accidental deletion. But the caveat to that is Dropbox stores data in the USA so Kaye said it should not automatically be used for special category data and you’d need to make clients aware that their data is being sent to the USA.


Self assessment season really highlights the importance of having a data privacy policy. Kaye has seen some people attempt to include this as an additional two paragraphs in their letter of engagement and check with insurers to check if they have any kind of data loss insurance.

But above all else, GDPR requires a risk assessment and proper security measures and working practises to be in place.  

“If you do such an assessment and decide all of the above is appropriate for say low risk data that is OK. But the more personal and confidential the data, up to Special Category Data the more damage is done if the data is lost and the more care should be taken to secure that data and avoid a loss,” concluded Kaye.

It may seem like a burden but as AccountingWEB member Chasmeehan noted, “Often the benefit of the irksome formality required is to increase staff awareness and encourage pause for thought when under time pressure, which is when things often go wrong”.

Replies (2)

Please login or register to join the discussion.

By prolison
04th Dec 2018 10:33

Well done Richard! This article and the guidance it contains goes to the heart of GDPR in my opinion. Those seeking definitive answers to their particular business scenarios are likely to be disappointed hence the need to take the GDPR default approach of risk assessing the business and its data requirements. There are no shortcuts to getting GDPR right.

Thanks (1)
By [email protected]
05th Dec 2018 11:36

ICAEW has produced some Helpsheets for members on Client files, Communicating Safely with Clients, Encryption and Passwords (among others) which may help. Available here

Thanks (1)