[BreachExchange] How can accountants prepare to comply with GDPR?

Audrey McNeil audrey at riskbasedsecurity.com
Tue May 15 21:50:29 EDT 2018


THE General Data Protection Regulation (GDPR) deadline for compliance is
fast approaching. With the aim of harmonizing data privacy laws across
Europe and strengthening the protection of data, GDPR imposes new
requirements on companies that process and hold personal data.

When it comes to the accountancy industry, a whole lot of sensitive client
information is being dealt with on a daily basis. And though there are of
course already a number of rules which accountants must adhere to when it
comes to handling this information, the GDPR changes will modernize
protections and will result in more stringent protections on sensitive data.

To ensure accountants are ready for the changes, The Institute of Chartered
Accountants in England and Wales (ICAEW) have released a documentanswering
some of the common questions accountants have concerning GDPR.

Here is an overview of the information:

Does the GDPR still apply to just personal data?

According to ICAEW, the answer to this is yes. Just as before, personal
data refers to data which relates to a living individual who can be
identified from the data or “other information which is in the possession
of or is likely to come into the possession of, the data controller.”

Are there any changes to what’s included as personal data since GDPR?

In order to reflect changes in technology, GDPR has added to the type of
data that can identify a “living individual”. As well as name, address, and
date of birth, it also includes IP addresses, location data, and cookie
identifiers as well as generic data. Additionally, GDPR covers both paper
and electronic data.

Accountants and accountancy firms process two different types of personal

Client data: Personal data received from clients in relation to
professional engagements and practice.
Firm data: Personal data held by a firm in relation to its own management,
employees, and affairs.

Does the GDPR only apply to digital processing?

According to ICAEW, manual and paper records are also included in GDPR if
they are part of a ‘relevant filing system’ i.e papers stored
systematically in a filing cabinet are included but ad hoc paper files are

“Members should ensure that they apply the same levels of diligence to
paper records as they do digital records and that any decisions made
regarding the lawful basis for processing, adhering to data protection
principles and upholding data subjects’ rights include paper records,”
notes ICAEW.

As with the Data Protection Act (DPA), the GDPR specifies that the
processing of personal data must be in line with the data protection
principles. According to ICAEW these have not changed- but added is the
principle of accountability, which leads us to the next question:

How can I prove accountability?

The accountability principle refers to the need for companies to
demonstrate compliance with the GDPR’s data protection principles.

Internal mechanisms and control systems must be put in place to ensure
compliance along with evidence to prove this. This is important as it may
be required to be shown to external stakeholders including supervisory

Therefore, members must have written policies and procedures set out in a
Data Protection Policy with training given to all staff to ensure

Additionally, it is advised for businesses to demonstrate the suitability
of their systems. Schemes such as the National Cyber Security Cente’s Cyber
Essentials enable members to demonstrate the security/ suitability of their

How will the new rights of individuals impact my accountancy firm?

The GDPR regulations has enhanced the rights of individuals whose data is
held. As such, your accountancy firm must be aware of these and set up
policies and procedures to facilitate them. The rights now consist of:

Right to be informed
Right of access
Right to rectification
Right to erasure
Right to restrict processing
Right to data portability
Right to object
Rights re: automated decision making and profiling

While these rights require processes to be in place to ensure they are met,
the ICEAW explains that not all the rights are absolute. According to the
“GDPR for accountants: Your questions answered” document, in some cases,
you may take a risk-based approach. This will involve making the decision
not to have certain rights if it is unlikely that a client will ask you to
enforce them.

“For accountancy practices, we believe this is most likely in regard to the
new rights regarding automated decision making and profiling but that all
the other rights may be enforceable in certain circumstances,” outlines the

So, are you GDPR-ready?

With accountants handling a vast amount of data on a daily basis, it is
vital for firms to ensure they have procedures and policies in place to
meet GDPR requirements.

While this may seem like a whole lot of work, GDPR should be seen as an
advantage for both the clients whose data is being held and accountants

GDPR gives accountancy firms the opportunity to showcase to clients their
ability to securely hold and process their information in line with data
regulations. This shows that client data is a priority for your practice
and as a result, clients will be more inclined to trust you with their
business and personal data.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180515/7440c53f/attachment.html>

More information about the BreachExchange mailing list