In two months GDPR becomes legally enforceable. Jennifer Adams sorts through the wealth of information available to the smaller accounting practice and pulls together an action list towards compliance.
What do small firms actually need to do to be GDPR compliant?
Google 'GDPR UK' and you get 2,280,000 results; some relevant to the small firm and some quite obviously not. While one size definitely does not fit all, there are areas of common ground. If you work on your own or are a smaller firm the job of compliance will be down to you and add to your already heavy workload.
The legislation is complex, and with complexity comes numerous misconceptions. For example, it’s often believed consent must always be explicit (it isn't), that the 4% fine is for all data breaches (it isn’t), and that it is mandatory to appoint a data protection officer (it isn’t - this role is largely reserved for those processing “special categories of data”).
Even so, all accountants must comply with GDPR as they hold information that can be used to identify an individual.
- Visit the ICO's website. Download the publication 'GDPR: 12 Steps to take now', which gives a helpful guide to the regulation. The sister publication, the 'checklist', should be all you need to confirm whether your processes comply but you have to get through the jargon first eg the first question asks whether your business ‘has conducted an information audit to map data flows' but does not explain what 'an information audit' is. However, you will find the checklist useful, after you have finished the work.
- Ensure that someone in the firm registers as a data controller with the ICO if not already done so. This is not a new obligation, and as such accounting firms should be registered already. Although the ICO may have their hands tied up at the moment with Facebook and Cambridge Analytica, being registered means being on ICO's radar for a possible compliance check at a later date.
Research relevant GDPR articles
With the amount of GDPR information available online, it is difficult to work out which article or website is relevant to the profession. For once, the institutes have got their act together and either issued their own text or collaborated with other institutes:
- The ICPA guide written by Mark Lee must be downloaded for use as the main textbook. It sets out the process to follow in a clear and concise way.
- The AAT page on GDPR is written in non-jargon.
- STEP issued a 'Briefing Note' on 5 March 2018.
- Unfortunately, the ICEAW has 'locked' some of its' downloads for members only, but there is still some interesting text available for all. Most important is a useful recorded webinar that is compulsory viewing.
Start and record your 'audit' – your own systems
List what needs to be done to comply
Treat it as you would a road map – a journey to an end. You need to think about all the information coming into and being used by your firm and write down every step of the process. Document the type of personal data you hold, where it comes from, where and how it is stored (eg which software is used), how it is processed, with whom it is shared, how long it is kept and if possible confirm the legal authority for the retention of the data. Use the project as a way of ensuring that you have all the information you need eg check that you have the correct email addresses and phone numbers for each client.
Create a data audit form spreadsheet
The We Will Thrive site holds a good basic checklist as an aide memoir of areas that need to be considered and includes a template.
The ICO has also created Excel spreadsheet templates, although obviously not bespoke. Scroll down to the pdf 'documentation for controllers and processors'.
Start and record your 'audit' – the systems you use
Research the compliance of the various software providers used. Find out what they are doing with the data they are holding eg in January Legal e-sign issued a consultation document asking customers to let them know whether the company's intended plans would fit in with their customers' needs.
The ICEAW webinar stated that you need to look at the terms and conditions of each software programme used (which should be available on site) to see what their policies are, particularly the ones with cloud storage. When and how will the data be held and for how long? Remember to record that you have done, that you have searched for the information and record your findings.
As an example a member of AccountingWEB and user of Clearbooks, Paul Scholes asked the software about their accountability and received confirmation that they have updated their term and conditions. In addition they stressed that clients of accountants using their software will need to be made aware that "Clear Books employees will from time to time be required to access your Data for legitimate business purposes, such as to assist you with a support query or to investigate or resolve an issue raised by you, yes, your clients will need to be made aware of this before signing them up".
This document is written for cloud service providers detailing what they need to be doing to be compliant.
Create a policy document
Simply Docs has published a detailed template for such a document.
The ICEAW lists that the policy document will need to cover:
- Who is responsible for what and reporting lines.
- How to get consent, when you need consent and what to do if consent is withdrawn.
- How to meet requests from individuals regarding their rights under GDPR.
- Privacy notices – what to include and when to issue.
- Subject Access Requests – what to do and when.
- What to do if there is a breach, how to record it, who needs to be informed and when. (And test it!)
Review letters of engagement (LOE) and disengagement letter templates
These will need to be reworked to comply. The institutes are working on updating advice as confirmed by TaxAdviser: "‘Engagement letters for tax practitioners’ are currently being worked on jointly by AAT, ACCA, ATT, CIOT and STEP. The working party of these professional bodies is working towards issue of the updated guidance and template letters in early summer 2018".
Ensure that a 'letter of disengagement' is issued when a client leaves. Review this to confirm the timescale that information will be kept before being destroyed. Include in the policy document the process for deleting an individual’s personal data.
Consent requires a positive opt-in. No pre-ticked boxes or any other method of default must be used. Much has been said about the need for consent in processing data, however, if you are legally required to supply information (eg providing an employee with a written pay statement) this requirement precedes the need for employees consent. However, pending clarification from the ICO, it would be best practice to ensure permission has been given to send personal data by unencrypted email.
Emailing and encryption
Emailing attachments such as payslips or tax returns is not expressly forbidden under GDPR but whether they represent “appropriate technical measures" is questionable so all accountants will need to consider the level of encryption used by their practice.
The ICEAW webinar draws an analogy with posting an important document – if you intended to post rather than email would you send by recorded delivery?
Finally, see here for members comments on the level of encryption they think is needed under GDPR:
To read the latest news and discussions on GDPR in the profession, visit AccountingWEB’s specific GDPR tag page.