In the first of a three-part series on GDPR for Accounting Web, we look at why the regulation changes have come about, what they mean & how they will affect accountants.What is it?
Keeping your clients’ information safe and secure is now one of the top priorities for accountancy firms. All industries are at risk, and it was reported that in 2016 there was a 22% increase in cyber crime.
Juniper Research reported that cyber crime will cost businesses over $2tn by 2019. The proof is out there on the ICO website and in the media: the NHS, TalkTalk and Netflix; all household names, all falling victim.
In light of such statistics, the General Data Protection Regulation (GDPR) couldn’t be approaching at a better time. As of 25 May 2018, the EU GDPR will come into effect, setting a new bar for security, privacy rights and compliance. It will apply to all organisations in the EU, including the UK (despite Brexit).
From a personal perspective the new regulation will ensure:
- Individuals’ control over all their personal data
- Extra security and controls to protect data
From a business perspective, it means more accountability of what we do with other people’s data, how we use it, interact with it and store it.
What are the penalties for non-compliance?
To ensure these updated regulations are taken seriously, penalties of £20m or 4% of your annual turnover (whichever is higher) for non-compliance are being laid out as potential punishment at the discretion of the Information Commissioner’s Office (ICO), the UK’s independent authority set up to uphold information rights in the public interest.
Elizabeth Denham, information commissioner for the ICO, has been named one of the most influential people in data driven business in 2017. With those kinds of penalties in her back pocket, you can understand why.
However, as discussed in this piece the ICO has stated that fines under GDPR will be necessary, proportionate, and only ever applied as a last resort.
Who will be affected?
As the updated regulation comes into effect, organisations that obtain any data will be impacted – so pretty much everyone.
Many accountants we work with at T-Tech would agree that despite handling vast amounts of sensitive data daily, they perhaps do not think about the back-end system that is holding this data as much as they should, or even the process of how this data moves around and out of the business. There is so much else going on!
A lot of businesses, not just accountancy firms, are heavily reliant on their current systems having secure measures in place but don’t know for sure whether they are running to a standard ready for 2018 or 2008.
Another consideration is firms using older, custom-built systems or applications running on old servers. Are they really fit for purpose? Not only for GDPR, but also for future-proofing their business. Many professional services firms are looking at this regulation change as an opportunity to gain efficiencies and improve technologies to take their firms into the future.
Process change catalyst
Cybercrime isn’t the only element that needs to be considered. Internal operations, employee education, processes and activity also need to be deliberated. Royal & Sun Alliance Insurance was fined £150,000 in January 2017 for the theft of a hard drive, while other companies in the finance sector have received fines ranging from £40,000 to £175,000 in the last two years for marketing activity that breaches the current data laws.
As these laws become more stringent, the responsibility is on everyone, from communication with the public, to how staff manage the information they are exposed to.
Why the changes?
You may be wondering why there is so much focus on the new GDPR. Surely, it’s just an updated version of the current Data Protection Act (DPA)? And if this is the case, then my firm doesn’t need to be making any changes?
The first thing to understand here is the importance of why these changes have come about, and why they are happening now. Data has and is increasingly becoming a much higher class asset for firms worldwide. Data pervades almost everything we do digitally, and as the accountancy world moves more and more into the digital sphere, it is important that your firm stays compliant with GDPR.
What do I need to do?
To begin your journey to compliance, you need to start reviewing your privacy, data governance policies and procedures now, as well as the technology underpinning all of this.
Take this opportunity to review your data strategy and how you can move toward modernising your technological infrastructure.
Some steps in the right direction would include;
- Identify the data you hold on your clients, which could include things such as their contact details or their business bank account information.
- Ask yourself: ‘Do I need to be holding this data? What am I using it for?’
- Check your cyber protection methods and ensure you or your third-party providers have taken precautions such as installing encryption software on all laptops, PCs and electronic devices you and your staff use. Is all patching up to date on servers you hold on or off site?
- Appoint a data protection officer and establish reporting procedures to ensure you know exactly who and what you need to report regarding any data breaches.
By using these steps as a starting point, you will be able to work out where you sit in the path towards prepared, and from there you can start taking action.
We suggest you don’t wait until the last minute to make changes. Elizabeth Denham certainly won’t be making excuses for anyone come May 2018.
So, get on top of gaining stricter control on how your clients’ data is stored and handled, and take action on implementing improved data policies to reach compliance.