GDPR: What accountants need to know

14th Sep 2017
Commercial Manager
Share this content
Binary Numbers Dataset Low Angle

In the first of a three-part series on GDPR, T-Tech’s Lauren Parker-Mitchell looks at why the regulation changes have come about, what they mean and how they will affect accountants.

What is it?

Keeping your clients’ information safe and secure is now one of the top priorities for accountancy firms. All industries are at risk, and it was reported that in 2016 there was a 22% increase in cyber crime.

Juniper Research reported that cyber crime will cost businesses over $2tn by 2019. The proof is out there on the ICO website and in the media: the NHS, TalkTalk and Netflix; all household names, all falling victim.

In light of such statistics, the General Data Protection Regulation (GDPR) couldn’t be approaching at a better time. As of 25 May 2018, the EU GDPR will come into effect, setting a new bar for security, privacy rights and compliance. It will apply to all organisations in the EU, including the UK (despite Brexit).

From a personal perspective the new regulation will ensure:

  • Individuals’ control over all their personal data
  • Extra security and controls to protect data

From a business perspective, it means more accountability of what we do with other people’s data, how we use it, interact with it and store it.

What are the penalties for non-compliance?

To ensure these updated regulations are taken seriously, penalties of £20m or 4% of your annual turnover (whichever is higher) for non-compliance are being laid out as potential punishment at the discretion of the Information Commissioner’s Office (ICO), the UK’s independent authority set up to uphold information rights in the public interest.

Elizabeth Denham, information commissioner for the ICO, has been named one of the most influential people in data driven business in 2017. With those kinds of penalties in her back pocket, you can understand why.

However, as discussed in this piece the ICO has stated that fines under GDPR will be necessary, proportionate, and only ever applied as a last resort.

Who will be affected?

As the updated regulation comes into effect, organisations that obtain any data will be impacted – so pretty much everyone.

Many accountants we work with at T-Tech would agree that despite handling vast amounts of sensitive data daily, they perhaps do not think about the back-end system that is holding this data as much as they should, or even the process of how this data moves around and out of the business. There is so much else going on!

A lot of businesses, not just accountancy firms, are heavily reliant on their current systems having secure measures in place but don’t know for sure whether they are running to a standard ready for 2018 or 2008.

Another consideration is firms using older, custom-built systems or applications running on old servers. Are they really fit for purpose? Not only for GDPR, but also for future-proofing their business. Many professional services firms are looking at this regulation change as an opportunity to gain efficiencies and improve technologies to take their firms into the future.

Process change catalyst

Cybercrime isn’t the only element that needs to be considered. Internal operations, employee education, processes and activity also need to be deliberated. Royal & Sun Alliance Insurance was fined £150,000 in January 2017 for the theft of a hard drive, while other companies in the finance sector have received fines ranging from £40,000 to £175,000 in the last two years for marketing activity that breaches the current data laws.

As these laws become more stringent, the responsibility is on everyone, from communication with the public, to how staff manage the information they are exposed to.

Why the changes?

You may be wondering why there is so much focus on the new GDPR. Surely, it’s just an updated version of the current Data Protection Act (DPA)? And if this is the case, then my firm doesn’t need to be making any changes?

The first thing to understand here is the importance of why these changes have come about, and why they are happening now. Data has and is increasingly becoming a much higher class asset for firms worldwide. Data pervades almost everything we do digitally, and as the accountancy world moves more and more into the digital sphere, it is important that your firm stays compliant with GDPR.

What do I need to do?

To begin your journey to compliance, you need to start reviewing your privacy, data governance policies and procedures now, as well as the technology underpinning all of this.

Take this opportunity to review your data strategy and how you can move toward modernising your technological infrastructure.

Some steps in the right direction would include;

  • Identify the data you hold on your clients, which could include things such as their contact details or their business bank account information.
  • Ask yourself: ‘Do I need to be holding this data? What am I using it for?’
  • Check your cyber protection methods and ensure you or your third-party providers have taken precautions such as installing encryption software on all laptops, PCs and electronic devices you and your staff use. Is all patching up to date on servers you hold on or off site?
  • Appoint a data protection officer and establish reporting procedures to ensure you know exactly who and what you need to report regarding any data breaches.

By using these steps as a starting point, you will be able to work out where you sit in the path towards prepared, and from there you can start taking action.

We suggest you don’t wait until the last minute to make changes. Elizabeth Denham certainly won’t be making excuses for anyone come May 2018.

So, get on top of gaining stricter control on how your clients' data is stored and handled, and take action on implementing improved data policies to reach compliance. 


Replies (2)

Please login or register to join the discussion.

By AndrewV12
15th Sep 2017 09:47

'A lot of businesses, not just accountancy firms, are heavily reliant on their current systems having secure measures in place but don’t know for sure whether they are running to a standard ready for 2018 or 2008'.

Thats me,

Its all typical, we are all told the cloud is the way forward, but this has got us all worried, to some degree anyway.

Thanks (1)
Replying to AndrewV12:
By WebDude
18th Sep 2017 21:06

AndrewV12 wrote:

we are all told the cloud is the way forward, but this has got us all worried...

Over 30 years ago I was taught about data backup with a "grandfather, father, son" model keeping a daily backup of changes ('son'), weekly full backup ('father') and a monthly full backup too.

Of course, more copies better than less (so do a monthly backup on month change, followed by week1, week2, week3)... and now and then add a new test file, delete it from the disk after backup, and be sure it could be retrieved a week or two later...

Nowadays you need to update to keep one backup on the cloud, one off site (eg at a director's home) and another locked away at the office. Multiply backups as much as you feel able to (a) afford and (b) not reduce general productivity, and you should be safer... not just ready for GDPR, DPA, and in case of flood or fire, but be protected against data encryption / blackmail too.

Amazon has a service called Glacier for long term storage of large quantities of data, so copy (encrypted) backups there and fingers crossed never need to retrieve them. Then make use of Carbonite or similar (or 1000 GB of Microsoft storage) for weekly and daily backups.

Don't tear your hair out, but ask your IT support staff / firm what they have in place. Whatever else, however, do keep at least one copy on drive/ drives that are taken off site and stored elsewhere for at least a week.

Thanks (1)