10 key facts every accountant should know about GDPR

Wondering about the impact of GDPR on accountants? Compliance with the EU General Data Protection Regulation (GDPR) from 25 May 2018 requires significant changes to how accountancy firms handle client data to complete jobs, such as tax returns and processing financial records, as well as data used for marketing purposes.

Generally, the GDPR applies to all businesses residing in the EU, including accountants based in the UK that provide goods or services to individuals in the EU, or process personal data relating to EU citizens.

The new legislation was adopted by the European Parliament on 14 April 2016. After Brexit, the UK will still follow a form of GDPR in its own data regulations; otherwise it may be very difficult to conduct business with the EU.

How will the impact of GDPR affect accountants?

Meeting GDPR compliance isn’t a ‘click and forget’, once-a-year activity. You need to entwine the protection of personal data into the fabric of your firm. Gathering, processing and exchanging personal data are daily activities within every accountancy practice.

As the start date edges closer, accountants need to think about the impact GDPR will have on their firm’s day-to-day processes. Many of the software programs you currently use share information and potentially sensitive information between them.

At a minimum, GDPR will require accountants to accurately maintain documentation related to the processing of personal data and systems; recording the exact method and details of customer consent, updating the firm’s new Terms of Engagement, and making specific references to the new requirements to be included for processing personal data.

10 key facts accountants should know about GDPR

1. Accountancy firms will need to comply with GDPR by 25th May 2018.

2. GDPR compliance is your firm’s responsibility as “data controller and data processor”.

3. You will need to understand your supply chain, for example, if you hold data in cloud-based backup software, you’ll need to know exactly where that data is held and replicated.

4. Certain personal data breaches must be reported to the Information Commissioner’s Office (ICO) within 72 hours.

5. Privacy Impact Assessments become compulsory under certain circumstances. Your firm will need to review how personal data about your clients is requested, sent to you and stored. Specific attention needs to be paid on your tax return process, as some of this data is perceived as sensitive.

6. Your clients’ consent to providing their data must be freely given, specific, informed, and unambiguous. Make sure you provide clear information around how their data will be processed.

7. Offering generic opt-ins to contact such as ‘passing data on to third parties for marketing purposes’ will not count as being fully informed. Best practice is to provide a tick box option for opt-ins at the end of any correspondence with your clients.

8. Clients may have the ‘right to be forgotten’ – i.e. to have their personal data permanently erased. Where your firm is legally required to keep the data, such as storing a Personal Tax Return for 7 years, your firm may not have to comply with this request.

9. Your clients also have the right to opt out of certain types of automated processes and email marketing.

10. Businesses in possession of the data must also notify other known holders of the data that consent has been withdrawn and data should be erased.

How to assess gaps

For each of these, ask yourself these quick-fire questions to initially assess any gaps in your GDPR knowledge and processes:

• Do I know enough about it?
• Do we currently do this?
• What do we need to do about this?
• Do we need outside help?

Want to learn more about the impact of GDPR for accountants?

Find more information about solutions to help you prepare for GDPR and visit our FAQs page to get up to speed. Also available is our on-demand webinar which explores the very latest on this new regulation.

The information and opinions contained in this blog and any supporting documents are not intended to be a comprehensive study or to constitute specific legal advice, and should not be relied on or treated as a substitute for specific advice concerning individual situations. Always consult a suitably qualified lawyer on any specific problem or matter.