Calculator
Calculator (April)

GDPR and The Accountant

This Month: The Accountant…

Welcome to the fourth article in our series of professionally-themed insights for 2019.

Each written with a specific profession or role in mind, they’re packed full of helpful ponderables, tips and advice to make the GDPR work for you in your everyday 9-5.

This month, we’re covering the need-to-knows, good-to-knows and no-nos (!) for all you Accountants out there.

We hope it makes your GDPR life that little bit easier.

Dear Accountant…

MTD – Making Tax Digital.

For some, it’s a bonus. For others, a bane.

But whichever way you view it, have you considered where it leaves you in terms of your GDPR responsibilities?

Because, done responsibly, Making Tax Digital requires accountable accountants, especially when it comes to your clients’ data protection.

Here’s some general guidance and reminders on how best to make the GDPR work for both your practice and your clients…  

GDPR Tips for the Accountant

Before digital accounting software packages were introduced, it was pretty much just you, your clients and an old-fashioned way of doing things – paperwork and Excel spreadsheets.

Except now there’s something else to factor in: your third-party supplier.

Whether that happens to be Xero, QuickBooks, Sage or other providers out there, not only does it mean you’ve effectively become a reseller of their product, you’ve also joined them in becoming a data processor.

Here are some key things to consider:

1. Know what you’re promoting.

Whichever package you opt for, it’s highly likely that your decision will be an accountancy-based one. However, that’s not to say that your due diligence shouldn’t go beyond that. For instance, how robust are your third-party supplier’s data protection systems and processes, and what’s their general attitude to compliance?

As far as your clients are concerned, your practice will be the face of whatever digital accounting package you’ve recommended to them, so if something goes wrong – albeit due to an issue originating from your software provider – it’ll most likely be your reputation that suffers.

How thoroughly have you researched your preferred supplier?

2. Know the risks and their potential implications – just in case.

Through doing proper due diligence, you’ll have a much better idea of the strengths and, just as importantly, potential weaknesses of your preferred accounting software. Remember, standards set for US data laws differ significantly to those in the UK and EU so if your supplier is US-based, you can expect a different level of data safeguarding (and not necessarily for the better).

Carrying out a Data Protection Impact Assessment (DPIA) can help you prepare for the unexpected so that if (and when) things don’t go to plan (say in the event of a data breach on your supplier’s server), you’ll at least have a good idea of what you need to do.

How well have you identified and mitigated against potential risks?

3. Let your clients know what you know.

Your clients are paying you for a professional service and, as such, they trust you. Which means they have no reason to question the digital accounting software you’re recommending.

So, based on the due diligence you’ve done, share with them as much information on the software as you can, including any potential risks. That way, they’ll have the benefit of a more informed decision and additional reassurance that their data is (hopefully) in safe hands.

Use your Letter of Engagement to explain why you’re recommending that particular software and the benefits of using your preferred supplier – not just from an accountancy viewpoint, but from a data protection standpoint too.

How up-to-date do you keep your clients on the software you’re asking them to use?

4. Keep sight of the bigger picture.

It’s very easy to get caught up in the latest fads so it’s worth contemplating what’s going to be right for you and your clients in both the short and long-terms. Ideally, it’s best to have just one system that’s secure and efficient, gives you everything you need and can accommodate future needs too.

And, again, it all comes back to doing your homework: work out what you need, find a system that provides it and then test/prove that it does just that!

Are you planning for the future as well as the present?

5. You’re still a data controller.

Just because you’re now processing clients’ data through a third party doesn’t mean that your GDPR responsibilities stop there; you still need to keep on top of your in-house data protection responsibilities as the data controller for your staff’s personal information.

That means you should still be carrying out regular data protection reviews to see whether your practices stand up to scrutiny. For instance, when was the last time you mapped your data properly? And are you still applying the correct legal basis (or bases) to justify the information you’re collecting and holding?

When was the last time you went through your data controller checklist?

In-the-Know… Summary

The Need-To-Knows

  • Know what’s expected of you as both a data controller and a data processor.
  • Know your digital accounting package inside out – pros and
  • Ensure your clients are well informed by always providing clear and transparent information.

The Good-To-Knows

  • Proper due diligence will help you stay on top of what’s what and ensure that there are no surprises.
  • Choose your digital accounting software based on its accounting capability and data protection potential.
  • Invest in a system that not only gives you and your clients what you need now but can also grow with the business.

The No-Nos!

And whatever you do, please…

  • Don’t dismiss GDPR or not find time to take it seriously.
  • Don’t turn a blind eye to a software package that potentially puts your clients’ data at risk.
  • Don’t put off asking for help if you need it.

Help and support is only a quick email away

If knowing your GDPR roles and responsibilities comes as easy as saying 1, 2, 3, then congratulations – your clients are lucky to have you!

But if you’re not quite there yet and could with some more in-depth guidance on DPIAs or data controller/processor reviews, please do get in touch.

We’ll make sure you can count on us just as much as your clients count on you.

 

Next month in GDPR and The Professional: The Marketing Manager…