In the last of a three-part series on GDPR on Accounting Web we lay the groundwork for accountants to communicate data-related changes to their clients.

Will anything change in the way you communicate with your clients? And how can you add value to your client relationships by helping them with GDPR-related issues?

If you don’t know by now, GDPR is introducing improved regulations surrounding the safe keeping of personal data, and increasing the fines for serious breaches and non-compliance. GDPR coming into motion reflects just how valuable data security is in 2017, and no matter how big or small your firm is, or how many clients you obtain, everyone handles data that deserves to remain protected.

Whether you plan on making any changes to your current data security practices, GDPR introduces policies that will affect everyone. It’s important that any data-related changes or improvements your firm make are clearly communicated to your clients. This doesn’t just apply to data online, but also to physical data, ie the contents of your filing cabinets, contracts, and the rest. But don’t see making changes as an unfavourable task; GDPR isn’t supposed to be unreasonable.

According to the AAT in a survey last year 44% of those questioned ranked “business being careful with sensitive data” as the most important factor when considering who to engage with. See this regulation update more as an opportunity for you to remind your clients of their rights to privacy, and even encourage them to make their own improvements, whilst partaking in the activity yourselves. Give your firm that competitive edge.

Here are a couple of key features that GDPR will impose in relation to communicating with your clients, which you may find useful:


You want to make sure that your clients’ data is processed lawfully, which is why GDPR also lays out the rules for consent. Consent must be freely given, specific, informed, and unambiguous. There must be some form of a positive opt-in, meaning consent cannot be inferred from silence, pre-ticked boxes or inactivity. This means that if you are communicating to your clients with marketing materials which they have previously opted in to receiving, they have the right to withdraw their consent at any time. You will need to provide simple ways for them to withdraw consent. Giving them access to their data so they can manage their details and consent (perhaps via an online portal), will retain the trust of your clients.

Privacy notice

Currently, when any business collects personal data, they are required to give their clients all information on their identity and how they intend to use the information, using a privacy notice. This applies to accountancy firms too, and under GDPR, your firm will need to update the privacy notice you have in place with additional information, including lawful basis for processing the data, data retention period, and clients having the right to complain to the ICO if they think there is a problem with the way their data is being handled. GDPR requires this information to be provided in concise, and clear language, to make the process as easy as possible.

Data protection officer

Appoint one and communicate about them. Give your clients the confidence you are not only compliant but a leader.


Speak to your clients about their own responsibly. Have they thought about it? Have they budgeted for any changes they may need to make? Are they following the same route as you are to compliance?

Do you hold any data that belongs to them outside of their own personal data (you clients’ clients?). If so, is it safe and compliant?

GDPR is a wide spanning regulation touching on various parts of all business; employees, processes, the technology that underpins the business and the activities the business partakes in. Steps you and your clients should consider as part of the journey from a business and a technology perspective are below. If you are conducting these activities why not share your plans with your clients and add extra value to your service offering?

Business considerations:

  • Conduct an internal audit of processes across all departments
  • Have a GDPR document that lays out what actions are taken to protect the data
  • Have an incident response plan
  • Education and training to staff
  • What communication activities do you conduct to clients or from a marketing perspective
  • Who has access to what data?

Technology implications:

  • Security of servers and all devices
  • Ongoing management of updates and patching, being just one patch or security update behind on a server leaves a business vulnerable to hacks
  • Mobile device management: what happens if someone loses a device? Can it be wiped? What data could be compromised?
  • Use of personal devices: Is this secure?

The list can go on but by starting with these considerations you can see how vast this regulation can span when you consider the data accountants hold.