GDPR concept

The GDPR-ready practice: Cloud-based platforms and geography

2nd Oct 2018
Save content
Have you found this content useful? Use the button above to save it to your profile.

Cloud-based platforms have given accountants the opportunity to collect, use and share data on a global scale. Even the tiniest practise can now be global. But how does all this work when you try to integrate GDPR compliance into the mix? Annabel Kaye reflects on some of the opportunities and challenges.

Cloud-based software is where you enter information at your PC (or increasingly via your tablet or smartphone) and the data is processed on remote servers. This has given rise to an industry of applications, from email marketing to customer records management (CRM) systems, bookkeeping and accounting platforms.

Your practice is the ‘data controller’ for all of this information. Your software provider or ‘platform’ usually acts as a data processor when processing information for you. They will also be a data controller in their own right since they too have a business, a marketing system, a support system etc, and the data they collect about you as their client (or prospect) will be held by them as data controllers.

Your label in GDPR terms depends on what role you are playing. As the customer, you are the ‘data subject’. You are the ‘data controller’ for your business (and your clients are the data subjects) and your platform is the ‘data processor’. We all play a variety of roles depending on what we are doing.

As a data controller, it is your job (or your organisation’s) to know what you are collecting (and why) and where it is being stored. It is critical for you to know whether the personal data you are collecting is being stored inside or outside the EEA (the 28 EU countries plus Iceland, Liechtenstein and Norway) since what you need to tell your data subjects, and what you can do is affected by the country location of the servers.

Whilst we talk about data being ‘in the cloud’, the cloud is not a country. Every platform you use is storing data on file servers with a physical location in one or more countries.

The USA and GDPR

Most email marketing platforms store data in the USA. You are not likely to be storing special category data (such as health, political affiliations, race, religion, criminal records etc) in your email marketing system. But your data privacy policy will need to let your prospects and customers know that their email address is being stored in the USA.

The EU has a slightly interrupted relationship with the USA when it comes to data privacy and data sharing arrangements. This is because the two have fundamentally different ideas about data privacy. The EU works on the basis that the data subjects (that’s us as individuals) have the right to know what is going on and not to have our data shared without consent or legal or contractual necessity. The USA has a more aggressive view, as you will know if you have tried to enter the USA and someone has demanded the password to your iPhone.

Originally there was a ‘safe harbour agreement’ between the EU and the USA, and this was replaced by the current ‘data privacy shield’ arrangement. As long as this is in force, ordinary personal data can be shared with US-based email marketing systems, as long as your data privacy policy makes it clear this is where it is going and your provider has the data privacy shield (see list).

The EU is not happy about the lack of need for warrants for certain types of data and has threatened to revoke the data privacy shield arrangement. This will prove problematic for marketing departments, since there are no real EEA-based alternatives to tools such as MailChimp, Infusionsoft etc.

The data privacy shield is not the only way to lawfully share data with processors outside the EEA but for all its faults it is an easy way to check if your provider has taken data privacy seriously.

Data protection adequacy

The EU has a list of countries whose data protection laws it regards as adequate. If your platform is hosting exclusively in countries on the list, your job is a great deal easier. This includes all of the EEA but also:

  • Andorra
  • Argentina
  • Canada (commercial organisations only)
  • Faroe Islands
  • Guernsey
  • Israel
  • Isle of Man
  • Jersey
  • New Zealand
  • Switzerland
  • Uruguay
  • USA (with data privacy shield only)

Talks are ongoing with Japan and South Korea.

Hopefully, the UK itself will be added to the list post Brexit! The UK intends to continue the existing data protection regime post Brexit, so this is likely. Whether there will be a gap remains unknown.

Contracting for data protection and security

As the data controller, it is your job to make sure the personal data you send to your data processors is sent securely to a destination with proper security arrangements. If your platform is not storing information on one of the ‘adequate’ countries, you can still do so provided you have taken some extra steps.

Wherever your data is hosted you will need to contract properly for GDPR compliance and data security. If your data is being hosted in a country not on the above list (or by a provider who is not compliant with the data privacy shield framework), you will need to contract for data transfers outside the EEA.

The EU provides model contracts, but oddly enough these all pre-date GDPR and there are no model clauses available for post GDPR compliance. It remains to be seen whether an update will be issued. The old model clauses can be found here.

If law is not your favourite subject, you may find it hard to work out whether any individual data processor is offering you equivalent clauses or whether their terms are inadequate. You will need to take legal advice on this if you have concerns.

Where is accounting data held?

If you are keeping books and doing accounts the chances are that will include information about living individuals. If your client trades B2C, their customers’ names and home addresses will be on the invoices along with payment periods and other information.

Even businesses set up to trade B2B will find sole traders and their home addresses and emails drift into the accounting system without anyone really noticing.

Digital VAT may mean you know where their customers were at the time of purchase and there is no end to the information that the electronic world brings to us if we integrate accounting programmes with online shops, CRMs and other platforms.

Your data is not only being stored in the cloud but also backed up by your service provider and shared across multiple servers in multiple regions in order to provide continuous service. So where is it?

As part of your data audit (and its updates when you change platforms or processes), you will need to ask this question and keep a copy of the answer. You will need to review your data privacy policy to see if it is clear where information is going and you may need to create some local ‘sign up’ statements or onboarding statements to make sure your clients (and their clients) know what is going on.

Here are some of the more popular platforms and their locations:

You need to make sure your platforms are storing data in an appropriate country – but don’t forget all those add-ins and extras that you pass data through as well.

If you change your platforms or find a new piece of software or an app that helps you, you need to find out how secure it is, how you can comply with GDPR whilst using it and add it to a reviewed data audit list.

You will need to make sure your team know this and do not just add things that seem ‘useful’ or on special offer. Giving apps access to your software should only be done by authorised people who have gone through a proper security vetting process and assessed the data privacy impact of doing this.

Special category data

If you are holding ID-related data, health-related data or any other information viewed as special category data you will need to consider:

  • If it is appropriate and/or secure to store it outside the EEA
  • What steps you need to take to inform people that it is leaving the EEA before you collect it.

This would not normally be held inside your accounting programme but you should take great care to store this securely and as locally as possible and make sure your customers know where this is data is going and why.

Clients have not fully woken up to the way their personal financial information is being sent around the world. Many still feel they are dealing with their accountant in person and the relationship does not always feel ‘global’ - it is up to you to keep them informed.

Consumer awareness is changing

While a lot of practices saw 25 May 2018 as GDPR day, clients are slowly waking up to their data protection rights and we can all look forward to having to explain a great deal more to our clients about what is going on with their information.

While the average client is probably not going to worry about which platforms you use to collect what, that is because they trust you to make the right decision and make sure their data is safe.

Being in the cloud does not mean being in a fog. You will need to be able to show that you went through a process to make those decisions and check their information is secure.

In the final part of this three-part series on GDPR, we will be looking at outsourcing and referring.


Replies (0)

Please login or register to join the discussion.

There are currently no replies, be the first to post a reply.