GDPR concept

The GDPR-ready practice: Acquiring and sharing information

18th Sep 2018
Save content
Have you found this content useful? Use the button above to save it to your profile.

Accountants have always prided themselves on providing a confidential service. The combination of GDPR (General Data Protection Regulation) and modern technology is providing some interesting challenges. In the first of a three-part series, employment law expert Annabel Kaye reflects on some of the areas of concern.

The profession has to share information with statutory bodies, but also keep information safe and confidential. How can GDPR problems be avoided?

GDPR came into force in the UK on 25 May 2018. All practices (and organisations) are ‘data controllers’ when choosing which information to collect about prospective or active clients. This imposes a duty on the data controller to limit the information collected about living individuals to what is necessary for a given purpose.

For example, if you are building a mailing list of potential clients then you will not need their tax reference number to add them to your mailing list. Conversely, if you are negotiating a complex tax case with HMRC you may need to collect a range of data about the client’s personal and business affairsTeam members may need to access some of that data to carry out their work, but the billing department is not going to need access to all the information on file about a client.

You will need to limit not only the range of data collected but also who has access to it. Giving team members full access to client data is going to be a thing of the past. GDPR is all about giving access only to what is needed only to those who need it.

We are all familiar with team roles in software such as Xero, but we need to take care to use a role-based approach to everywhere we share data with our internal teams.

It is easy to get lost in the jargon of GDPR with its various lawful purposes for collecting data, but get back to basics and ask yourself:

  • Do we need this information at all?
  • If we do need this, do we need it at this stage or later?
  • Who needs to access it and why?
  • Can they manage with access to some of the data?

With these questions you will find it a lot easier to make sense of what needs to be done. The person who does your marketing does not need access to your data which supports anti-money laundering checks – and neither does your day-to-day service team or billing team.

Think of client information like money in the business: it flows through from marketing, to identity checks, to getting and doing the work, to billing and credit control, to accounting and historic record. Not everyone you have contact with makes it through this entire cycle. And not everyone who works at various stages of the cycle needs all the information.

Information is a dynamic thing in your business and as a result GDPR compliance is a continuous process. Your data needs may be quite different to another practitioner’s needs if you are offering a different range of services or working in a different way.

If you change what you offer, or how your structure your team, you will need to revisit your processes to make sure you are still complying with those fundamental principles. If you go from a mostly employed team to an outsourcing model, this will trigger a big change. If you change the platforms you use to market or to provide your services, you will need to review your GDPR compliance in this context too.

It is important to have policies and to train anyone who touches the data you handle. This is not something you do once and forget about. New team members need to be brought up to speed with how you do things and why, and changes to processes will mean updating established team members.

Securing or sharing

Sharing data with external bodies may be a legal requirement. It is not always up to you which information you share with whom. Anti-money laundering procedures require disclosure without notifying the client and HMRC can require a wide range of personal information about clients, particularly when conducting investigations.

With the exception of anti-money laundering reporting, the client should always be notified what information you are sharing with HMRC and why. The client should know what is happening with their information, and who it is being disclosed to. If it would not be obvious to the client from your data privacy policy that you would be sharing this information then you should make an explicit disclosure to the client first.

However, a legal obligation to share information about living individuals does not bypass the requirement to process data securely. The information clients share with you should be:

  • Sent to you securely
  • Held securely
  • Shared securely

Clients can often be the biggest hazard to data security by emailing sensitive personal data in open emails. They can be resistant to using more secure ways of data sharing, and some may lack the skills or equipment to do so.

The reality is that firms have to support clients into secure data sharing, since few are already on top of this and ready to go.

HMRC also seem to struggle with some aspects of GDPR, and their old technology may take a while to get fully up to speed.

Data privacy policies should make this all clear

Clients do not always fully understand an accountant’s role. This is particularly true now, when different practices have widely different service options. It is easy to assume, wrongly, that they know what you are doing and why.

 Your firm needs an easy-to-understand Data Privacy Policy, so your clients know in advance what will happen to their data. It is easy to get lost in the jargon of compliance, but you should remember that if the client does not understand your policy, then your policy is not having the necessary effect.

You will quickly lose ‘trusted adviser’ status if you lose your clients in the small print of your policies and do something they were not expecting you to do with their personal data.

A clear Data Privacy Policy can help you and your clients develop a shared understanding.

Technology can help with security, but it won’t get there on its own

Whilst online platforms have made great strides to secure data about living individuals, they are not all equal in their security standards. And however great your platform may be, if your people don’t use it securely you cannot be sure the information is safely held.

Sharing passwords with colleagues, using one password across multiple platforms, and giving people higher levels of access than they need are all still common issues across many firms. While the software and the hardware can be, and is being improved, the human ‘wetware’ is struggling to keep up. Poor data handling by people is still the biggest risk to data security.

Regulatory change is not over

While many practices saw 25 May 2018 as GDPR-Day, the reality is that the Information Commission is still formulating and developing guidance and advice. We also have the forthcoming change to the E-Privacy Regulations to look forward to. Meanwhile the EU is in dispute with the USA about the  EU-US Privacy Shield Framework that underpins our ability to use many US-based servers without having to contract specifically for non-EEA processing of personal data. And right now we cannot be sure of the effect that Brexit will have on all of this. Although the Data Protection Act 2018 confirms the direct effect of GDPR in UK law, if we are longer in the EEA after Brexit we will need an EU ruling of the adequacy of our data protection regime if we are to avoid painful paperwork and procedural checks for any cross-border transfers of data.

Data Privacy is not an EU-based fad. Countries throughout the world are implementing their own privacy regimes. While GDPR is currently the gold standard – it is not true that everywhere else everyone can do what they want. Secure and appropriate data collecting and sharing is going to be at the heart of any accounting practice as we move into an increasingly online world.

While it is hard to look into the future and predict what platforms and security measures accountants will be using in the future, it is clear that there is an obligation to incorporate privacy at the design stage of any new platform or process. Security can no longer be viewed as an afterthought or a bolt-on after everything else is done.

In parts two and three of this series we will explore this in more detail with:

·The GDPR-ready practice: Cloud-based platforms and geography

·The GDPR-ready practice: Outsourcing and referring

Replies (2)

Please login or register to join the discussion.

By farrcorfe
19th Sep 2018 15:12

All this extra bureaucratic burden doesn't cut down on the slew of junk mail, catalogues and so on which land on my carpet each day. And the number of junk emails increases beyond belief. So how do those companies continue to get our mailing details? And why can't they be stopped? Adam de Gurdon

Thanks (1)
Annabel Kaye
By Annabel Kaye
19th Sep 2018 21:43

I use a filter such as Sanebox to put junk mail into folders.

From time to time I unsubscribe the unsolicited emails that have piled up in my junk folder. I make a point of identfying them as spam when unsubscribing.

Those who continue to email me beyond this point I report to the ICO.

I know that a certain level of unsubscribes identifying as spam will alert the mailing list processor and there is a threshold for complaints above which the ICO will act.

The legislation is new in legal terms and will take time and some spectacular fines to bite.

GDPR will have a gradual progressive effect for most people. I have already noticed a marked fall off in junk phone calls.

Thanks (3)