The way accounting firms process client and employee data is about to change. The General Data Protection Regulation (GDPR) will apply from May 2018 and firms need to be compliant or risk fines of up to 4% of global revenue. So, what does this mean for you? If the firm handles personal data of EU citizens it will have to ensure data handling practices meet the standards detailed in the GDPR.
The new regulations demand more stringent protection of personal data and greater access for citizens wishing to access personal information held by any organisation. Speaking to The Institute of Chartered Accountants in England and Wales (ICAEW) in London earlier this year, Information Commissioner Elizabeth Denham of the ICO warned that, “If a business can’t show that good data protection is a cornerstone of their practices, they’re leaving themselves open to a fine or other enforcement action that could damage a bank balance or business reputation”. Here’s what your organisation can do to avoid this.
Review data handling processes
Accountants handle a huge amount of personal information; payroll, employee details, expenses, and bank account details to name a few. To be compliant with GDPR, the way firms process and store this data may need to change. Now, firms will have to keep records of customer data that show how it was captured and that customer consent was given. Consent must be clearly and freely given before data can be captured and it is up to the firm to show how and when it was obtained. You will also need to show that you have a valid reason for holding a person’s data and that the data will be deleted once that reason has expired.
Additionally, clients can exercise their ‘right to be forgotten’, so organisations should have processes in place for data erasure. This applies to any personal data held onsite or by a third party, such as a cloud service
provider. Checking that your cloud service providers actually provide a deletion facility is an important check to make.
Work only with providers that will be GDPR-compliant
Since the data controller – the firm – is ultimately culpable if GDPR is breached, it would be wise to review your business partnerships before the May deadline. Do you know if your third party data processors are compliant? Identify any compliance risks for data in motion such as data in cloud storage, data encryption and key management, and data lifecycle management. If you work with any US-based businesses check they have procedures in place to keep your firm compliant.
Up your data security levels
For data protection to be a cornerstone of a firm’s practices they must keep data secure and protected from cyber-attacks and accidental leaks. First, though, firms need to ensure they can find every piece of personal data held in their systems. For this to happen every file needs to be searchable. If a firm scans passports as a form of ID for new clients, for example, it will need to apply OCR technology to these files to add a text layer and make them searchable.
Once all of the data has been found, perform a risk assessment on current systems. Identify any weaknesses or vulnerabilities and start working now to resolve them. Keep laptops and other devices safe from loss or theft and encrypt any data stored on these devices. When choosing a data backup or cloud storage provider, apply due diligence to make sure you’re partnering with a compliant vendor.
Report any data breaches or cyber-attacks that occur
Under the GDPR firms won’t be able to keep any embarrassing data leaks under wraps. They will have 72 hours to report them and any cyber-attacks to the ICO and to the affected parties. Appointing a data protection officer (DPO) will be mandatory for larger organisations. The DPO will be responsible for creating reporting processes in the case of breaches or attacks.
Commit to compliance and stand out from the crowd
Survey data released by the ICO found that 75% of British adults don’t trust businesses with their personal data. Want to know how to get your firm to stand out from the crowd? Be the best at protecting their information. Better data protection means better client relations and retention.
To be the best, data protection has to go from being about doing the bare minimum to be compliant to being about commitment. Ms. Denham of the ICO reaffirmed that data protection is part of “basic good business practice, like honest pricing or good customer service”, and shouldn’t be neglected.
Committing to a culture of privacy and protection overall will help accomplish and, just as importantly, maintain GDPR compliance.
This article was originally published in the August 2017 issue of PortrAIT.
Learn more about how DocsCorp products can help you prepare for GDPR over at our GDPR Software page.