Huge data center

GDPR: How to prepare your firm

27th Sep 2017
Commercial Manager
Share this content

Accountants hold particularly sensitive data on their clients. In the second of a three-part series on GDPR  T-Tech’s Lauren Parker-Mitchell aims to provide practical advice and asks some questions you need to know the answers to in the future with relation to this updated regulation.

When it comes to GDPR compliance, it’s important to understand your obligations regardless of where your firm resides. It will take time, tools, processes and expertise for you to comply with the new regulation and to do this, you need to show you are improving your privacy and data management practices. Failure to do so could prove costly – by not meeting the requirements your firm could face reputational harm and fines of £20m, or 4% of your annual turnover, whichever is greater.

To ensure your firm is aligned with GDPR and that you don’t have a run in with the ICO, it is time you raise some questions about the way your data and your clients’ data is stored and secured.

Leading with the most important questions, see how many of these you can confidently answer about your firm.

Who owns or can access the data you store?

Do you outsource any services? From IT, server hosting, legal even the cleaning company you use. Do they have access to your data? If so, what data and how do they access it?

You need to find out who your service providers are, what they do with your data, and how much control they have over it. Some service providers use their clients’ data to build on their own products, i.e. for marketing or advertising purposes.

But the GDPR will enforce stricter rules for using personal data for these purposes. For example, to receive any external marketing materials you will have to opt-in, and have the right to withdraw your consent at any time. So if you are the source of data you need to have control over what is happening with it.

Do you offer privacy controls for your client’s data?

Here you need to consider what privacy controls are enabled on your system by default and what you are in control of. So, does your client have access to turn on or off privacy-impacting features, or are you completely in control of that? If data control is in your hand, what processes internally do you have in place to manage that?

Do you have visibility into where you store your clients’ data?

Is it kept in a server room or managed by a third party? By asking your IT team or service provider where your data is located, you should also be told who can access it, and how they report on data access. What about backup data? Is it secure or is it on a collection of tapes that get swapped out and brought home?

What is your approach to security and which security features?

Do you offer to protect your clients from potential external attacks? Again, the IT Team or service provider needs to tell you what they do to secure your hardware, software, and data centres. If they are a managed by a third party, the under GDPR you can ask to see the policies and controls they use, and how they implement these measures to secure your data.

Can you easily extract your data out of your system?

You should find out if you can extract or download a copy of your data at any time, without any assistance from any service provider.

What standards does your firm comply with?

Complying with standards like Cyber Essential Plus, ISO 27001, and PCI DSS will have you well on the way to GDPR compliance. Gaining assistance to achieve these certifications is easily done by engaging a third party with the expertise.


Replies (5)

Please login or register to join the discussion.

By PVJ Ltd
28th Sep 2017 14:15

Not sure I agree with some of the information contained in this article. To be fair to the author, I think it was written with a different context and audience in mind. With a different hat on it reads very well, but I don't think it is great for a professional services audience.
Let's be clear. GDPR relates to personal data i.e. where a data subject (a living person) can be identified. I agree that accountants do hold sensitive information, but mainly company information which may not contain personal information. However, if you run the payroll for a client, you will indeed hold personal information. Some of this may be sensitive which does hold the higher level of fine. (BTW the fines are €20M not £20M, but what's £3M between friends.)
The author has done a very good job of making the reader think. Reading this you should be asking a number of questions about the data you have. A data audit is the first step. Then just approach the data in the same way you approach other risks to your business. The difference with GDPR however is that you also need to assess the risks to the data subject, not just the business risk.
One final point is the role business play.
Data you have collected is 'your' data and you are responsible for it. You are the data controller. Technically not true either. In fact, the data is owned by the data subject, but we can discuss that later.
Data that you have provided by a client is not your data. You may only process it in the way that the Controller (your client) has instructed you to. You should review all of your contracts - upstream and downstream. In this case you are the Data Processor. You now can be fined by the ICO if it is not processed correctly. To go back to the payroll example, you need to check that you have lawful grounds to process the information. I think in payroll you do but do check the contract. Or do you hold the names and addresses of shareholders? Why? Even storing personal data is processing it.
OK - now turn it round and start to look at the services that other businesses do for you. Your role and responsibilities will be different.
Lastly look at it from your own personal perspective. This is when it all starts to make complete sense. You own the information about you. Noone else. They have responsibilities to you. You have new rights and protections. It is a huge step forward to protecting you and as a business thinking about it in that way will help you prepare. I can plan the rest!!

Thanks (0)
By PVJ Ltd
28th Sep 2017 16:17


Thanks (0)
By RichBatoul
28th Sep 2017 14:59

Are the fines correct at £20m or 4% of annual turnover whichever is the greater ?

In my case £20m will be more than 100% of 20 years turnover so I may as well file for bankruptcy now !

Thanks (1)
Replying to RichBatoul:
By PVJ Ltd
28th Sep 2017 16:22

There are two levels of fine. €20m or 4% of international turnover or €10m or 2% of turnover. So if your turnover is £100000 the maximum fine would be £4000. In addition data subjects could sue for damages. These can be dire t znd now indirect damages. However don't focus on that. Too many consultants market on the fines. It is actually really good law. Did I really say that! Actually yes. It is a really positive step forward for individuals and businesses. You just have to work differently.

Thanks (0)
Replying to PVJ Ltd:
By RichBatoul
19th Oct 2017 16:17

The article states that the fine is €20m or 4% of turnover whichever is the greater.

Thus, if 4% of turnover is less than €20m then the fine must be €20m as that is the greater figure.

Thanks (0)