ICO: Small businesses ‘increasingly reliant’ on accountants for data protection help

A study conducted by the UK’s information regulator found that 34% of SME businesses trust their accountants for advice, while 20% actively use accountants to keep up to date on data protection and GDPR.

Faye Spencer, Head of Business Services at the Information Commissioner's Office (ICO), called accountants a “key part” of the SME support network as businesses look to their professional network for guidance as they grow.

“It’s clear from our engagement with SMEs that many are reliant on their accountant to ensure their business dealings are compliant with data protection laws,” said Spencer. “We’re encouraging accountants across the UK to recognise the role they play and the value they can add when it comes to offering peace of mind to clients running their own businesses.”

Established in 1984 and funded predominantly by the million or so companies that pay the data protection fee (plus grants and income generated from fines), the ICO is an independent regulatory body designed to deal with a range of information and data legislation,  including the Data Protection Act 2018 and the General Data Protection Regulation

Along with policing various data regulations, the ICO provides free resources for small businesses such as advice and guidance on data protection, electronic marketing and freedom of information on its SME hub.

Key questions for accountants

To coincide with its call for accounting firms to support small businesses with data protection advice, the ICO has provided a list of key questions for accountants to ask SME clients about their data protection compliance:

1. How much do small business clients know about data protection compliance and the ICO? Have they heard of the legislation or given any thought to how they will apply it to their own business? The regulator encourages SMEs to register with it so they have access to its free resources.  

2. What types of personal information will they collect on a day-to-day basis? Ask clients to make a list of the personal information they already have or are likely to collect as part of their business operations, as they will need to account for it all.

3. Encourage clients to ask ‘why’ they are holding this personal information? If they’re holding or using people’s personal information, it must always be fair, as well as lawful. This means they should only use their data in ways they’d reasonably expect.

4. What security measures do they have in place? Check client security lines up with the sensitivity of the information they hold. Clients should put stronger measures in place if the data poses a higher risk or is sensitive.

5. Do they know what to do if their business has a personal data breach? ICO guidance states that a data breach action plan is essential for all businesses. If they do have a personal data breach, they'll need to report it to the ICO, unless they're satisfied it's unlikely to result in a risk to the people affected. The ICO has a guide on how to respond to a personal data breach so clients know what steps to take in an emergency.  

6. Do they have a privacy notice? The data watchdog states that it’s essential for businesses to tell people why they hold information about them, what they'll do with it, and how long they'll keep it before safely disposing of it. This should be recorded in a privacy notice – the ICO has a template for SMEs to use.

7. Do they know what a subject access request (SAR) is? Customers and the general public have the legal right to ask businesses what personal information they hold about them. The ICO has a step-by-step guide on how to deal with a subject access request.  

Will 'trusted data protection adviser' status add to accountants’ workload?

Some accounting firms will no doubt agree with, and in some cases revel in, the ‘trusted data protection adviser’ tag bestowed upon them by the ICO. However, there will be some that feel the additional burden of providing non-financial advice on issues such as this could act as a drain on their bottom line. 

There’s no doubt that the role of ‘accountant as tech consultant’ has grown steadily over the years. Once the preserve of elite firms passing audit clients back and forth between their consulting wings, now technology has encroached on almost all parts of the business ecosystem, and conversations about the right tools have become a regular part of working life for practices large and small.

But for smaller firms, such services are potentially time-consuming and difficult to price – or to charge for in the first place. With SME clients, particularly those starting out with limited capital to invest in advisory services, this conundrum seems particularly acute. In such cases, the ability to direct clients to resources such as those provided by the ICO could prove helpful.

"This is the ICO basically saying ‘businesses are not listening to us, who do they listen to and can we get them to share the message’," said Billie McLoughlin, practice consultant at 2020 Innovation. "It feels a little unfair in my opinion as the burden once again falls to accountants.

"Accountants, the unsung heroes over the past three years, are now being poked and prodded from yet another angle to offer support to their clients for very little reward.

"Accountants should share this information and available resources from the ICO amongst the team to raise awareness, but not get too bogged down in the detail. Ensuring they know where to send clients to educate themselves is enough in my opinion as firms' resources are best spent elsewhere. Those accountants who believe they have the capacity to offer tailored advice or training sessions for clients they can do so, but it is essential they charge accordingly."

The ICO is currently running a pilot programme with around 60 UK SMEs, trialling a new self assessment and development programme. The SME Data Essentials pilot is aimed at providing organisations with information to manage their own data compliance, and ultimately bringing down the cost of data regulation compliance.

23 February 2023: This article was amended to add a comment