If you are an accountant and control or process personal data about your clients, you will need to comply with the General Data Protection Regulation (GDPR) which became law in the UK on 25 May 2018. In the UK, the Information Commissioner’s Office (ICO) regulates data protection and can apply fines and sanctions to businesses (including accountants) who do not comply or who report a data breach. To comply with GDPR, an accountant will need effective data protection systems and up to date policies and procedures.
GDPR is an EU regulation that codifies and aligns data privacy laws across Europe. The UK’s exit from the European Union does not affect the application of these regulations and UK businesses still need to comply.
This blog is not a comprehensive guide to GDPR or data protection, but does contain some basic, important information accountants need to know. If you’re an established Accountancy Practice, or a new Practice wondering how to comply, you can contact your professional body for up to date training and other materials on what you need to do. You can also check out the Guide to UK GDPR published by the UK’s Information Commissioner which contains many online tools accountants can use to assess the impact of GDPR on their Practice.
How does GDPR affect accountants?
Accountants are likely to control and process personal data relating to their clients, prospective clients, and employees every day. Personal data means data which relates to a living individual who can be identified from the data, or from the data and other information which is in the possession of, or is likely to come into the possession of the business controlling the data.
For the purposes of GDPR, an accountancy business, whether a sole practitioner or a large practice, is usually the ‘data controller’. This means the business will determine the purpose and means of processing data. As a data controller, an accountant will collect personal information about their clients as part of the initial onboarding process and as professional relationships develop.
In certain circumstances, an accountant can also be a data processor, for instance providing payroll or cloud accounting services on behalf of another business. Regardless of the circumstances, if an accountant is involved in controlling or processing data, GDPR applies and the ICO regulates the activities in the UK.
How is personal data defined?
GDPR defines personal data in fairly wide terms. It means information about individuals including technical data such as an IP address as well as standing data that can be linked to an individual (such as name, address or date of birth). GDPR rules apply to manual filing systems as well as computerized records. At the most basic level, if you hold any information which means an individual can be identified, it is personal data.
GDPR also defines sensitive personal data (known as ‘special category’ data) which includes information about individuals’ racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, and information on sex life or sexual orientation. Genetic or biometric data are also sensitive data. There are strict rules surrounding the handling of sensitive data and accountants need to ensure they are familiar with the GDPR definitions.
What are the penalties for non-compliance?
The ICO has overall responsibility for GDPR in the UK and can impose a fine of up to 4% of the annual turnover of a business for a failure to comply or repeated breaches. In practice, if an accountant is found to have breached GDPR rules, the Information Commissioner will work with the accountant to improve processes and procedures to ensure GDPR rules are complied with going forwards. Accountants should also be aware of the severe reputational damage caused in the event the Information Commissioner finds any breach of GDPR rules.
Are there circumstances where an accountant can use a client’s personal data?
Accountants can only collect personal data and then use it in a limited number of situations. For instance, personal data may be needed and used to fulfill a contractual obligation to a client by sending them updates on the progress of the work being undertaken on their behalf. However, accountants cannot continue to contact a client or send marketing materials indefinitely unless they have obtained explicit consent from the individual to do so.
Consent can be obtained by asking a client to sign up for future contact via a website or in a clearly headed email. An accountant cannot assume consent is given by a client, and any privacy notices published by an accountant must give clear information about how they will use any data provided.
After obtaining consent, an accountant must inform the client (or potential client) about their rights to withdraw consent at any time, which must be as simple a process as providing consent in the first place.
What practical steps should an accountant take to ensure GDPR compliance?
The protection of a client’s personal data is one of the most important responsibilities for an accountant. GDPR requires a Data Protection Officer (DPO) to be nominated in an accountancy business to:
- advise (the business) on its data protection obligations
- monitor compliance with GDPR
- be the first point of contact with the ICO and data subjects.
The DPO is a key role and the responsible individual must:
- possess sufficient and expert knowledge of data processing (including the relevant legislation)
- be able to avoid any conflicts of interest between their role as DPO and any other role they perform within the business
- be able to act independently and not be instructed on how to carry out their functions or how to interpret GDPR legislation.
For larger Practices, there should be a clear commitment to comply with GDPR, with data protection being a standing item on the board’s agenda led by a member of the top management team (or the DPO).Training should be provided to all employees annually and when a new employee joins a Practice.
Regular reviews should be undertaken about the reasons for collecting data and whether it is really necessary. An accountant should not collect information just because it might be helpful in the future or keep it longer than they need to.
Resources will also need to be invested to implement a robust framework of internal controls, including systems, policies and procedures and reporting mechanisms to ensure compliance with GDPR.
What rights does an individual have under GDPR?
GDPR provides the following rights for individuals in the UK regarding their personal data:
- to be informed
- to restrict processing
- data portability
- automated decision making and profiling.
Most commonly, an accountant may be approached by an individual to access personal data held or to delete it permanently. This process is referred to as a Subject Access Request or ‘SAR’. Individuals can make SARs verbally or in writing, including via social media. GDPR rules require a response without delay and within one month of receipt of the request. The time limit can be extended by a further two months if the request is complex or if multiple requests are received from an individual.
Should an individual exercise any of their rights, an accountant will need to respond and ensure the request is dealt with. The Information Commissioner publishes detailed information on what each of these rights means for an individual and how a business should respond.
What should I do if there is a data breach?
Most data breaches occur due to human error, though other breaches can be deliberate, such as the hacking of computer systems and subsequent data leaks. Human error can be as simple as sending personal information to the wrong individual or enabling the identification of an individual through sharing information. Personal data breaches can include:
- access by an unauthorised third party
- deliberate or accidental action (or inaction) by a controller or processor
- sending personal data to an incorrect recipient
- computing devices containing personal data being lost or stolen
- alteration of personal data without permission
- loss of availability of personal data.
GDPR requires businesses to report certain personal data breaches to the ICO within 72 hours of becoming aware of the breach (where feasible). If the breach is likely to adversely affect individuals’ rights and freedoms, those individuals affected must be informed without delay.
Accountants will need effective systems and processes in place to detect, investigate and report any data breaches. This will assist the DPO in deciding whether or not to report the breach to the ICO or the affected individual (or both).
GDPR for employers
If an accountant has employees, they will need to process employee details for the purposes of running the business. For example, employee contact details (including next-of-kin), date of birth, PAYE, salary and pensions details, medical information and criminal records. The consent of the employee to process this information is not needed provided it is required to operate the business. However, the processing of sensitive personal data (special category data) should only happen with the individual’s explicit consent or when legally required to, for instance when defending a legal claim.
Any accountant responsible for controlling or processing data will need strong systems and processes in place to meet the requirements of GDPR. While data breaches in themselves can be minor and may not require formal reporting to the ICO or the data subject, repeated incidents can lead to a breakdown in trust and confidence among clients. The reputational damage to an accountant where the ICO carries out an investigation or imposes a sanction can be considerable.
The protection of client data, and compliance with GDPR rules, should be one of the highest priorities for an accountant. Sufficient resources will need to be invested to understand the legal and technical issues involved for an individual accountant or Practice. External advice from a specialist may be needed to complete an initial review of arrangements for managing personal data when setting up a Practice for the first time.
Initor Global is GDPR compliant
Most accountants feel nervous about transferring responsibility for services and data to an outside provider. Initor Global ensures data security by using the most secure, advanced accounting software available with state-of-the-art systems and other physical safeguards to prevent the loss or misuse of data. We are GDPR and ISO 27001 compliant and use cloud based solutions to ensure data cannot be downloaded, mitigating the risk of data loss or IP theft.
You can trust our team of qualified, professional accountants and tax specialists to provide the outsourced services your Practice needs.
If you are looking to take your Accounting Practice to the next level, and provide effective services while reducing costs, you can arrange a free consultation with our expert team.
We offer a free, no-obligation trial of our services.
You can also call us on 0203 519 2121.
This blog draws on information published by the Office of the Information Commissioner and other professional bodies. It is not a complete guide to GDPR or data protection. Information may be subject to change and Initor Global accepts no responsibility should you decide to rely on the information we have published in this blog. Professional advice should always be taken as necessary based on your individual circumstances.