AccountingWEB
Share this content

GDPR and the small accounting firm

27th Mar 2018
AccountingWEB
Share this content
gdpr for small accounting firms
istock_cnythzl_aw

In two months GDPR becomes legally enforceable. Jennifer Adams sorts through the wealth of information available to the smaller accounting practice and pulls together an action list towards compliance.

What do small firms actually need to do to be GDPR compliant?

Google 'GDPR UK' and you get 2,280,000 results; some relevant to the small firm and some quite obviously not. While one size definitely does not fit all, there are areas of common ground. If you work on your own or are a smaller firm the job of compliance will be down to you and add to your already heavy workload.

The legislation is complex, and with complexity comes numerous misconceptions. For example, it’s often believed consent must always be explicit (it isn't), that the 4% fine is for all data breaches (it isn’t), and that it is mandatory to appoint a data protection officer (it isn’t - this role is largely reserved for those processing “special categories of data”).

Even so, all accountants must comply with GDPR as they hold information that can be used to identify an individual.

Starting point

  1. Visit the ICO's website. Download the publication 'GDPR: 12 Steps to take now', which gives a helpful guide to the regulation. The sister publication, the 'checklist', should be all you need to confirm whether your processes comply but you have to get through the jargon first eg the first question asks whether your business ‘has conducted an information audit to map data flows' but does not explain what 'an information audit' is. However, you will find the checklist useful, after you have finished the work.
  2. Ensure that someone in the firm registers as a data controller with the ICO if not already done so. This is not a new obligation, and as such accounting firms should be registered already. Although the ICO may have their hands tied up at the moment with Facebook and Cambridge Analytica, being registered means being on ICO's radar for a possible compliance check at a later date.

Research relevant GDPR articles

With the amount of GDPR information available online, it is difficult to work out which article or website is relevant to the profession. For once, the institutes have got their act together and either issued their own text or collaborated with other institutes:

  • The ICPA guide written by Mark Lee must be downloaded for use as the main textbook. It sets out the process to follow in a clear and concise way.
  • The AAT page on GDPR is written in non-jargon.
  • STEP issued a 'Briefing Note' on 5 March 2018.
  • Unfortunately, the ICEAW has 'locked' some of its' downloads for members only, but there is still some interesting text available for all. Most important is a useful recorded webinar that is compulsory viewing.

Start and record your 'audit' – your own systems

List what needs to be done to comply

Treat it as you would a road map – a journey to an end. You need to think about all the information coming into and being used by your firm and write down every step of the process. Document the type of personal data you hold, where it comes from, where and how it is stored (eg which software is used), how it is processed, with whom it is shared, how long it is kept and if possible confirm the legal authority for the retention of the data. Use the project as a way of ensuring that you have all the information you need eg check that you have the correct email addresses and phone numbers for each client.

Create a data audit form spreadsheet

The We Will Thrive site holds a good basic checklist as an aide memoir of areas that need to be considered and includes a template.

The ICO has also created Excel spreadsheet templates, although obviously not bespoke.  Scroll down to the pdf 'documentation for controllers and processors'.

Start and record your 'audit' – the systems you use

Research the compliance of the various software providers used. Find out what they are doing with the data they are holding eg in January Legal e-sign issued a consultation document asking customers to let them know whether the company's intended plans would fit in with their customers' needs.

The ICEAW webinar stated that you need to look at the terms and conditions of each software programme used (which should be available on site) to see what their policies are, particularly the ones with cloud storage. When and how will the data be held and for how long? Remember to record that you have done, that you have searched for the information and record your findings.

As an example a member of AccountingWEB and user of Clearbooks, Paul Scholes asked the software about their accountability and received confirmation that they have updated their term and conditions. In addition they stressed that clients of accountants using their software will need to be made aware that "Clear Books employees will from time to time be required to access your Data for legitimate business purposes, such as to assist you with a support query or to investigate or resolve an issue raised by you, yes, your clients will need to be made aware of this before signing them up".

This document is written for cloud service providers detailing what they need to be doing to be compliant.

Create a policy document

Simply Docs has published a detailed template for such a document.

The ICEAW lists that the policy document will need to cover:

  • Who is responsible for what and reporting lines.
  • How to get consent, when you need consent and what to do if consent is withdrawn.
  • How to meet requests from individuals regarding their rights under GDPR.
  • Privacy notices – what to include and when to issue.
  • Subject Access Requests – what to do and when.
  • What to do if there is a breach, how to record it, who needs to be informed and when. (And test it!)

Review letters of engagement (LOE) and disengagement letter templates

These will need to be reworked to comply. The institutes are working on updating advice as confirmed by TaxAdviser: "‘Engagement letters for tax practitioners’ are currently being worked on jointly by AAT, ACCA, ATT, CIOT and STEP. The working party of these professional bodies is working towards issue of the updated guidance and template letters in early summer 2018".

Ensure that a 'letter of disengagement' is issued when a client leaves. Review this to confirm the timescale that information will be kept before being destroyed. Include in the policy document the process for deleting an individual’s personal data.

Misc points

Consent

Consent requires a positive opt-in. No pre-ticked boxes or any other method of default must be used. Much has been said about the need for consent in processing data, however, if you are legally required to supply information (eg providing an employee with a written pay statement) this requirement precedes the need for employees consent. However, pending clarification from the ICO, it would be best practice to ensure permission has been given to send personal data by unencrypted email.

Emailing and encryption

Emailing attachments such as payslips or tax returns is not expressly forbidden under GDPR but whether they represent “appropriate technical measures" is questionable so all accountants will need to consider the level of encryption used by their practice.

The ICEAW webinar draws an analogy with posting an important document – if you intended to post rather than email would you send by recorded delivery?

Finally, see here for members comments on the level of encryption they think is needed under GDPR:

 

To read the latest news and discussions on GDPR in the profession, visit AccountingWEB’s specific GDPR tag page.

Replies (24)

Please login or register to join the discussion.

Jonathan@Aiteo
By [email protected]
27th Mar 2018 13:21

Very helpful summary - many thanks for putting it together.

Thanks (7)
avatar
By paul.symons
27th Mar 2018 16:31

Yes. A good starting point for a firm our size. Now. What software does the community recommend for passwording zip files so that we can send several payroll documents in one file for approval. We have tried WinRAR, but it seems full of bugs and the pdf files cannot be opened.

Anyone have a better suggestion?

Thanks (0)
By ireallyshouldknowthisbut
28th Mar 2018 09:30

So basically for the sole prac:

1. Don't worry about it
2. Make sure there is active consent on your T&C's rather than passive consent for email correspondance (ie they have to sign them, don't just forward them as you might for SA)
3. Make sure you do a proper disengagement letter

Sorted.

Thanks (1)
Replying to ireallyshouldknowthisbut:
avatar
By BryanS1958
28th Mar 2018 10:37

That's more the sort of useful summary I'm looking for!

Basically my clients don't know and don't care, so all I want to do is the minimum of jumping through hoops to comply with burdensome regulations at lowest possible cost and inconvenience, same with AML.

Thanks (3)
Replying to BryanS1958:
avatar
By BryanS1958
28th Mar 2018 10:46

Not sure how I'll get active consent from my clients who don't bother to read anything. I'll probably have to go to their houses and put a pen in their hand.

Thanks (5)
Replying to ireallyshouldknowthisbut:
Jonathan@Aiteo
By [email protected]
28th Mar 2018 10:51

AIUI, your active consent for marketing purposes needs to be unbundled from your T&Cs.

Thanks (0)
Replying to [email protected]:
avatar
By BryanS1958
04th Apr 2018 18:39

I thought AIUI was yet more abbreviation of regulatory terms, designed to ensure the uninitiated have no clue what is going on.....turns out to be as I understand it:-)

Thanks (0)
Replying to ireallyshouldknowthisbut:
avatar
By EnglishRose
23rd May 2018 09:10

I wouyld add to the short list make sure your marketing emails include an "unsubscribe" and finally register with the ICO which will just cost you £35 and is compulsory for many (and stick a privacy policy on your website if you don't already have one)

Thanks (0)
Mark Lee 2017
By Mark Lee
29th Mar 2018 15:44

Thanks for including the guide I wrote for ICPA in your list Jennifer.

Here's a little known observation about Data Protection Officers.

The GDPR introduces a duty for you to appoint a data protection officer (DPO) only if you are a public authority, or if you carry out certain types of processing activities. This will rarely be the case for accountancy firms.

A DPO has specific obligations and protections under the law so it may not be a good idea to appoint one if you are not obliged to do so.

I have heard that some larger firms are instead appointing a Data Privacy Officer (also abbreviated to DPO) so they can better specify what they require/allow their DPO to do.

Thanks (0)
Replying to bookmarklee:
avatar
By SteveRA
28th Mar 2018 21:47

Jennifer, not Janet!

Thanks (0)
avatar
By GamekeeperTurnedPoacher
28th Mar 2018 11:02

Thanks, Janet, huge, huge help! Much appreciated!

Thanks (0)
avatar
By djn
28th Mar 2018 11:18

I'd like to know what people's thoughts are on these and if you will continue to do so after may:
Email payslips with no password.
Send letters by email containing personal info- again no password.
Correspond at all by email without encryption.
Mail merge emails asking for year end books- again no password.

Are these allowed as i have been on a few courses that seem to say no.

I understand the need for security but this could add a lot of time to routine tasks.

Thanks (0)
Replying to djn:
Jonathan@Aiteo
By [email protected]
28th Mar 2018 11:24

This:

https://ico.org.uk/for-organisations/guide-to-data-protection/encryption/

...suggests encryption is to be used as 'part of a range of technical measures' and that should be matched against the risk, as 'it cannot be used in every processing operation'.

Thanks (0)
Replying to [email protected]:
avatar
By djn
28th Mar 2018 17:15

Jonathan-AT-Aiteo wrote:

This:

https://ico.org.uk/for-organisations/guide-to-data-protection/encryption/

...suggests encryption is to be used as 'part of a range of technical measures' and that should be matched against the risk, as 'it cannot be used in every processing operation'.

Suggests or mandatory? So will we get in trouble for not doing so???

Thanks (0)
Replying to djn:
Jonathan@Aiteo
By [email protected]
28th Mar 2018 17:52

I think it's for the ICO to issue some guidance on what its expectations are. Based upon the strict reading of the principle, there is no absolute obligation to use encryption, but I think you would be expected to have evaluated & risk-assessed the most sensitive areas.

Thanks (1)
Replying to [email protected]:
avatar
By djn
28th Mar 2018 18:13

All i want is to comply. I'm really not brothered if I don't achieve a gold standard.
Absolute minimum is enough for me.
Still not any clearer of whether i can email things without encryption etc.

Thanks (0)
Replying to djn:
By jon_griffey
28th Mar 2018 14:51

djn wrote:

I'd like to know what people's thoughts are on these and if you will continue to do so after may:
Email payslips with no password.
Send letters by email containing personal info- again no password.
Correspond at all by email without encryption.
Mail merge emails asking for year end books- again no password.

Are these allowed as i have been on a few courses that seem to say no.

I understand the need for security but this could add a lot of time to routine tasks.

These are exactly the sorts of practical issues that we need guidance on.

It is all very well encrypting attachments to emails, but the body of emails themselves will often contain personal information and it is impractical to encrypt that. Clients will email spreadsheets unencrypted for review, and to email them back with encryption will inconvenience them.

Although it is feasible to do this, it will be very inconvenient and clients will have no end of trouble trying to decrypt.

I suppose it will come down to the level of risk. A confidential medical report warrants encryption, but an SA302 perhaps not.

Thanks (2)
Replying to jon_griffey:
avatar
By EnglishRose
23rd May 2018 09:07

I took out some completely impracticable security requirements in a GDPR contract amendment this week as no one would ever have complied with them however perfect they are. You certainly have to keep personal data safe and secure however so up to each company to decide. GDPR does not state you have to encrypt emails which contain personal data. One of the terms I took out said the personal data must be removed from the email and put in an password protected or encrypted attachment. Yet just sending your name in the email address of course is sending personal data.

Thanks (0)
avatar
By SAservices31
28th Mar 2018 11:19

There is also lots of information put together by ACCA for ACCA members both on the website and in the monthly Inpatactice magazine

Thanks (0)
By jon_griffey
28th Mar 2018 15:00

And furthermore, if we add clients as Facebook friends, or simply unwittingly allow Facebook access to our phone's contact list, does this make Facebook our Data Processor? Where does that leave us as Data Controllers when Facebook harvests their personal details via our profile/contact lists for some nefarious use?

Thanks (0)
avatar
By North East Accountant
03rd Apr 2018 09:05

Surely it's not beyond the wit of ICAEW etc to provide a practical toolkit on all issues such as what we can and can't email, or whether encryption is required.

Not going to hold my breath.

Thanks (0)
avatar
By BryanS1958
04th Apr 2018 18:35

The number of responses and the obvious confusion for most practitioners just shows how a molehill has managed to become a mountain and how useless the professional bodies are in helping small practitioners wade through the quagmire at the bottom.

Even those that have been on courses seem to be no more certain of what to do and opinions widely vary. And why should sole practitioners have to be spending time and money on courses for regulation that is a cost and of no benefit to them and which 99% of their clients will be blissfully unaware of and will not care about if they were aware.

All that is really needed is a simple guide/flowchart that says if you do this, this and this you should be broadly OK; if you do this, this and this you could be in trouble and in the following cases .... ask for further advice.

Thanks (0)
Replying to BryanS1958:
By cfield
25th Apr 2018 11:51

Agree 100% re the flowchart. To me this seems the best way to help sole practitioners. Just break the subject down into small chunks and restrict it to the type of things that actually affect us. Then advise accordingly.

Example questions might be:

- Do you use client data for marketing purposes?
- Do you send client data to any third parties other than HMRC and Companies House?
- Do you send email attachments to clients containing personal data?
- Do you store personal data off-site or on the Cloud?
- Do you regularly upgrade your anti-virus software?
- Do you have any staff with access to client data?

I'm guessing that all most of us need to do is encrypt emails with sensitive data, update engagement letters and just be generally aware of privacy and data issues.

If your clients start getting spoof emails purporting to come from you, that shows hackers have obtained their email address at the very least, either from intercepting them in cyberspace or hacking into your address book (or from data leaks by your internet service provider).

I assume this counts as a data breach which must be reported within 72 hours. Given how often this occurs, there could be literally millions to report in the UK every week. Does every single instance need to be reported? Is every single report going to be looked at and followed up? This is the sort of thing we need clarification on.

It's good that the GDPR is non-prescriptive in terms of how you comply and requires you only to take whatever reasonable steps to secure data are commensurate to your business, but we need good guidance as what would be reasonable.

For example, must all emails be encrypted now? Is that a minimum requirement for a small firm of any size, or is it just some emails we need to do this for?

Thanks (0)
avatar
By woody24
03rd May 2018 17:43

Gmail and cloud based services
Since Gmails are stored 'somewhere' on the Google cloud (presumably outside the EU), do you have to get specific permission from the client to use Gmail as your e-mail server?
Also if you download client attachments onto Google Drive, do you have to get specific permission or can you just say that you use Google Drive in your letter of engagement?

Thanks (0)