In the second of a three-part series on GDPR on Accounting Web, we want to provide practical advice and asks some questions you need to know the answers to in the future with relation to this updated regulation.When it comes to GDPR compliance, it’s important to understand your obligations regardless of where your firm resides. It will take time, tools, processes and expertise for you to comply with the new regulation and to do this, you need to show you are improving your privacy and data management practices. Failure to do so could prove costly – by not meeting the requirements your firm could face reputational harm and fines of £20m, or 4% of your annual turnover, whichever is greater.
To ensure your firm is aligned with GDPR and that you don’t have a run in with the ICO, it is time you raise some questions about the way your data and your clients’ data is stored and secured.
Leading with the most important questions, see how many of these you can confidently answer about your firm.
Who owns or can access the data you store?
Do you outsource any services? From IT, server hosting, legal even the cleaning company you use. Do they have access to your data? If so, what data and how do they access it?
You need to find out who your service providers are, what they do with your data, and how much control they have over it. Some service providers use their clients’ data to build on their own products, i.e. for marketing or advertising purposes.
But the GDPR will enforce stricter rules for using personal data for these purposes. For example, to receive any external marketing materials you will have to opt-in, and have the right to withdraw your consent at any time. So if you are the source of data you need to have control over what is happening with it.
Do you offer privacy controls for your client’s data?
Here you need to consider what privacy controls are enabled on your system by default and what you are in control of. So, does your client have access to turn on or off privacy-impacting features, or are you completely in control of that? If data control is in your hand, what processes internally do you have in place to manage that?
Do you have visibility into where you store your clients’ data?
Is it kept in a server room or managed by a third party? By asking your IT team or service provider where your data is located, you should also be told who can access it, and how they report on data access. What about backup data? Is it secure or is it on a collection of tapes that get swapped out and brought home?
What is your approach to security and which security features?
Do you offer to protect your clients from potential external attacks? Again, the IT Team or service provider needs to tell you what they do to secure your hardware, software, and data centres. If they are a managed by a third party, the under GDPR you can ask to see the policies and controls they use, and how they implement these measures to secure your data.
Can you easily extract your data out of your system?
You should find out if you can extract or download a copy of your data at any time, without any assistance from any service provider.
What standards does your firm comply with?
Complying with standards like Cyber Essential Plus, ISO 27001, and PCI DSS will have you well on the way to GDPR compliance. Gaining assistance to achieve these certifications is easily done by engaging a third party with the expertise.