GDPR and cloud apps: How to remove unneeded data?

Puzzle head silhouette
istock_alexsl
Share this content
Tags

The GDPR 'right to be forgotten' provision has posed a problem for some accountants to fully comply, as they are unable to anonymise unwanted data from their cloud apps.

Practitioners have examined almost every conceivable angle of the ICO’s data protection regulation brought in on the 25 May, from reworking letters of engagement to emailing payslips, but one aspect that until now has been overlooked concerns what a business must do once the period for retaining information has passed.

An Any Answers thread uncovered the administrative quandary for accountants: how do you delete unneeded client personal data from cloud apps?

AccountingWEB regular Paul Scholes raised this query after a discussion with one of his cloud providers revealed the inability to delete data. This then leaves the business with the onerous task of manually deleting every customer or supplier to remove their information.

Scholes illustrated the need for this feature with a scenario where his client invoiced a personal customer in 2011, but since that person is no longer a customer, he argued that there is no reason to hold that personal data and he should delete it.

Some providers have options to ‘hide’ old users or ‘archive’ this information but as Scholes points out, this data would still be retained.

Instead, Scholes outlined the task now at hand: “I'd have to go in and change the names, and delete address, email address and, in some cases, if the software has kept a PDF on any invoices, these also have to be tracked down and deleted, so that the person could not be identified.” 

Reasons why this is not clear-cut

Taking payroll as an example, Karen Bennett from payroll software Brightpay, who wrote an industry insight on this subject, told AccountingWEB that like anything concerning GDPR there are considerations that don’t make this scenario clear-cut.

“With BrightPay Connect, our cloud self-service portal, employers or accountants can restrict access for an employee or group of employees,” said Bennett. “For leavers, there is an option to restrict their access, but an employer (or accountant on their behalf) must keep their information for the statutory periods required by law.”

When that is the case the information is maintained or archived on the software. Where a customer wants to completely remove all data for an employer, this can be removed via their payroll bureau online dashboard, but there are other manual options available. “If they want to remove a particular version of an employer file they cannot do this themselves, this is available on request,” added Bennett.

Solutions are coming

Where there isn’t a requirement to maintain the data, some software providers have actually released updates to resolve this issue. Sage Business Cloud, for instance, is one provider that is supporting the GDPR right to be forgotten. In its 16 May update, the software included the functionality discussed in the thread to ensure that the user's contacts’ details are no longer identified.

Pandle will also be adding this ability to remove personal data without affecting transactions. “Effectively the personal data will become anonymous," Pandle's founder Lee Murphy told AccountingWEB.

Explaining Pandle’s approach to this aspect of GDPR, Murphy said: “Under GDPR companies should only keep personal data as long as is necessary. HMRC requires companies to keep records for a period of six to seven years, but after this time there is unlikely to be a good reason to hang on to personal data for old customers.

“That’s why at Pandle we are developing a tool to enable users to remove their customer and supplier details without having an adverse effect on transactions, essentially anonymising customer and supplier data.”

But in lieu of an updated solution from all chosen software providers, AccountingWEB ShayaG suggested a short-term solution: change the customer’s name to “Oldcustomer_1” and delete their address and contact information.

Expert commentary

Bobby Chadha, senior manager at Propel by Deloitte, told AccountingWEB that one of the risks in removing data from cloud apps is that it’s removed.

“Imagine a scenario where as an accountant you have had a client on a cloud-based solution leave you or done a runner,” he said. “If you're paying for the subscription, you then cancel it. Some software providers will provide a year for you to download your transactions in CSV format and after 12 months it is then deleted.

“The headache occurs if no action was taken during this period and the file was subsequently deleted meaning all the transaction info is also deleted and the client then reappears needing it.

“Vendors should look to provide an easy download feature of all transactional data in their software and should also prompt users to download their data if they cancel their subscription.”

He added that firms should build this aspect into their client exit process. “Remember to download the relevant transactions from the software and send it across to the ex-client or to communicate with the ex-client to log in to their software to download their data (email creates an audit trail so avoid phone calls).”

Has your software been updated to help with this quandary? Have you found an alternative solution? Or are you still bamboozled by this problem? 

About Richard Hattersley

Richard Hattersley

Richard is AccountingWEB's practice correspondent. If you have any comments or suggestions for us get in touch.

Replies

Please login or register to join the discussion.

07th Jun 2018 09:38

This is just highlights how some of the practicalities of GDPR have not been properly thought through.

Another practical issue, is that if someone wants to be forgotten, how do you remove them from a backup file?

Thanks (1)
to jon_griffey
07th Jun 2018 11:01

Jon - not sure this is any different, the backup is just a snapshot of the live data at that point and so, unless you or the client, has a valid reason not to, you just delete it after 6-7 years?

Thanks (0)
to Paul Scholes
07th Jun 2018 11:45

Paul Scholes wrote:

Jon - not sure this is any different, the backup is just a snapshot of the live data at that point and so, unless you or the client, has a valid reason not to, you just delete it after 6-7 years?

The point being that if for example I take a simple Windows backup of all the files on the system today, then in a month's time receive a right to be forgotten notice, it is impossible to delete the individual client from within a backup file. Either you delete the whole backup file (which by deleting other client's data as well risks losing their data and causing a personal data breach), or you don't in which case you are not complying with the notice.

Thanks (0)
to jon_griffey
07th Jun 2018 12:19

I completely agree Jon. I am an Apple Mac practice and I take weekly complete back-ups of all machines which go back for years. I also use Apple's Time Machine which makes a backup of my HDD every hour! That is a lot of files to trawl through to delete data on one particular client.

I don't think that GDPR has been thought through in terms of the 'right to be forgotten'. For years we have been encouraged to back up regularly and, with disc storage being so cheap, the days of Grandfather-Father-Son backups are long gone.

Speaking to a client recently (who has been all over GDPR since the start) he believes that the trigger point will be when there is a data breach. When this happens (website or computer is hacked) the victim of the data loss will be asked what data has been taken and was it necessary to hold that data. This sounds like a sensible, and possibly the only way to police GDPR. As long as backups are well-encrypted (which most are) the un-encrypted data from backups will not be in the public space and so won't be an issue. I believe that the idea of removing data from backups will, with hindsight be seen as a GDPR red herring...that is the horse (or perhaps fish) that I am betting on.

Thanks (0)
to jon_griffey
07th Jun 2018 13:59

Being a Mac user I'm not sure what a simple Windows backup is but if a client sends me a right to be forgotten notice, I am still entitled to retain their personal data for my own tax, PI insurance, AML purposes etc (ie per the terms of my privacy notice) and so by deleting backups and other data more than X years old, I'm OK?

Thanks (0)
07th Jun 2018 10:56

Just to expand, this is not just relevant to accountants and the software they impose on their clients it's also for the clients, after all it's their data, plus many businesses handle it all themselves, with the accountant as monitor.

As with most things "cloud accounting" recently, I found Pandle's (Lee's) approach refreshing, ie they were already on the case before I asked. The impression I get is that this new breed of provider is making the others look staid and "am I bovvered".

The trouble is there are now 30ish systems out there that each treat data in differing ways, ie:

- Some treat the data as the client's (even if I pay the sub) others treat it as mine;

- Some offer the ability to access redundant data for a small fee (eg where client leaves or changes provider) others keep for a period or delete it straight away;

- The content and quality of backups are many and various, I downloaded a full csv backup of a client's 7 year's of FreeAgent data when they stopped using it last year and only recently discovered (with much grief) that the backup has no journal entries. Clear Books used to be the only system I knew that offered a full old fashioned backup, ie a snapshot of the entire data file for download, that could be restored from, but they switched servers and, despite promises, have never reinstated it.

All of these issues, plus the ability, or not, to delete out of date personal data, need to be considered in the terms of each client engagement, ie the client needs to be aware of the risks of the software they, or you, have chosen AND we need to put pressure on the vendors to employ best practice.

PS: When renaming personal data I'd always prefix it with ZZ to let all the dross fall to the bottom of the list

Thanks (3)
avatar
07th Jun 2018 11:56

A couple of questions arise ...
1.
"HMRC require data to be kept for 6-7 years".
One sees this often stated - but it it a statutory requirement [if so under what statute], an HMRC Regulation [if so exactly which one]. I have to say I probably knew once, but I've rooted about several times recently on this an have yet to find any definitive reference for the precise requirement.
2.
How do you 'prove' you have deleted data?
As far as 'cloud' goes, you have only
a. a contract
b. an inability to get at deleted data
you do not actually 'know' that it has been deleted!
3.
Backups are a real issue - many times the circumstance is not one of stuff under multi-year retention.
If someone inquires about your services and you drop them an email or a letter or a email, or even retain their telno, and they ask you to remove them from your ken ... do you even know what backups are taken and where?
Your ISP, for example, retains data under statute as does the telco - but email is 'store and forward' - do we KNOW that intermediate buffers are emptied?

I believe there will be 15 years of court cases before we even know what 'GDPR compliance' looks like.

Thanks (0)
avatar
By RogerMT
07th Jun 2018 11:58

Deleting info over 6 years old wherever it's stored flags another problem. What happens if an ex-client decides to make a claim against a practice for whatever reason, based on something that happened, say 8 years ago, and the practice no longer has the files (hard copy or electronic) to refer to in order to defend itself?

Thanks (0)
to RogerMT
07th Jun 2018 14:03

As I say above, my privacy notice says I'm able to keep client data for the purposes of my own tax, PI etc and so this would enable me to keep it past the 7 years as my PI cover runs for way past that.

Thanks (1)
avatar
By RogerMT
to Paul Scholes
08th Jun 2018 15:03

That's a good point Paul, but doesn't saying you will be keeping data beyond the statutory minimum period for whatever purpose put you in breach of GDPR rules?

Thanks (0)
avatar
By ShayaG
to RogerMT
08th Jun 2018 17:28

The statute of limitations is usually 6 years.

Thanks (0)
avatar
to RogerMT
09th Jun 2018 01:40

The statute of limitation comes into play which is 6 years.
An old client after 8 years can not try and hold you liable if they have not in a first instance started a civil case against you within the 6 year period which would trigger you to get all your data together on said client to prove your innocence.

Thanks (0)
avatar
By RogerMT
to lildanfen1
18th Jun 2018 09:36

Good point, must admit that didn't occur to me...can you provide a link to back this up?

Thanks (0)
avatar
By RogerMT
07th Jun 2018 12:01

.

Thanks (0)
avatar
07th Jun 2018 14:27

Also, which cloud providers etc just rip what they want from your data/have a computer read it for their own nefarious purposes? Computer people just don't understand the concept of privacy and work that is confidential.

Thanks (0)
to AnnAccountant
07th Jun 2018 15:55

But we are all "computer people" these days.

I agree though their are some nasty ones that dress in red and all of them live under my bed :)

Thanks (0)
avatar
08th Jun 2018 09:16

HMRC can go back 20 years (24 coming for offshore) where deliberate behaviour.

Great fun when all the paperwork has gone.

Thanks (1)
to North East Accountant
08th Jun 2018 10:30

S*d that! 46 years and still waiting for that to happen, but for others, how about:

Privacy notice extract, "On the assumption clients deliberately fiddle their tax and that they are likely to have offshore stuff, they won't tell us about, we'll be keeping personal data for 24 years"

Thanks (0)
avatar
By Moo
to Paul Scholes
11th Jun 2018 16:14

Yup, your privacy notice extract perfectly fits my tax centred professional world which is why I'm not overly fretting about deleting data. I reckon the old client papers in the garage will probably have been destroyed by mice before the 24 years are up so not much for me to do.

Thanks (1)
avatar
09th Jun 2018 01:58

What about sending clients non encrypted data back to them? They send you a memory stick with all their sensitive data relating to their year of trading.
Do you send it back in the post which is not secure?
Pay for a courier to ensure delivery to the rightful owner (bear in mind that courier drivers just require a signature) and pass that extra cost on to your client?
Send it guaranteed next day via Royal Mail (again is it secure)?
Pay an employee to hand deliver it and pass said cost onto client?
I am assuming that after a year or so new legislation will ease these difficulties (I refer to the original reporting to SOCA when clients missed their AR deadline and we had to report them for theft).

A 2nd issue is HMRC and their 20 years, surely as both business and tax advisers we owe a duty of care to our clients to ensure that both they and ourselves can demonstrate that we can both prove that our clients and our own decisions were based on law and that we can prove said decisions.
How do we do this if we are forever destroying vital information and proof?

Thanks (0)