Bookkeepers – are you ready for GDPR?
Bookkeepers who run payroll and store large amounts of personal data must ensure it is kept secure and GDPR-compliant
The General Data Protection Regulation (GDPR) is due to come into force May 2018, a key component of which is holding businesses accountable for securing personal data. This means that bookkeepers who run payroll and store large amounts of personal data must ensure it is kept secure and GDPR-compliant.
Running a payroll process involves accessing and storing an individual’s personal information, such as information on starters and leavers, changes of address and status as well as normal cyclical information like receiving timesheets, notification of pay rises, bonuses and other increases in pay.
So how should bookkeepers dealing with substantial amounts of data prepare for GDPR?
Personal information
The first step is to identify what information is held, why it is held, and how is it held. A good place for the bookkeeper to start is by asking the following questions:
- Where is the information stored?
- Why is the information needed?
- Is the information secure?
- Can the information be held differently?
- How is the information moved?
Information stored
Running a payroll (and automatic enrolment) means that data such as name, date of birth, NI number, address, salary and the like are needed. Other data such as emergency contact numbers may not be necessary, and it is this excess data that should be removed. The bookkeeper should go through each item of data held on an individual and ask the question ‘Is this needed for the payroll/AE process?’ Be strict, and if the answer is ‘no’ then delete the data.
Information needed
The data identified as not needed for payroll may still be vital information that needs to be held. But who will hold it?
- If the bookkeeper is an employee and performs HR duties as well as payroll, then information on next of kin, emergency contact details and similar information would still fall within the bookkeeper’s control.
- If the bookkeeper acts in an agent role, perhaps looking after more than one payroll there may not be the scope, or need, to keep that level of data, and instead the information is held by the employer.
The bookkeeper should identify their role and store or delete information as necessary. It is also important to remember that data needs to be checked and updated regularly, so an appropriate process will need to be put in place.
Information security
Resources & Whitepapers
Accounting Software The power of customisation in accounting systems
The Information Commissioner’s Office (ICO) has a lot of information on the website, some of which is specifically for the small organisation. The information covers basic steps to take such as keeping passwords secure, individuals logging off computers when away from their desks, shredding confidential papers as well as updating software programmes and anti-virus programmes.
The ICO also suggests using a procedure called pseudonymisation to disguise an individual’s identity and protect their personal data. Pseudonymisation is a process by which the most identifying fields within a data record are replaced by one or more artificial identifiers with the sender and designated receiver of the information having the key to unlock the information.
The ICO also suggest the pseudonymisation key is kept totally separate from the information it disguises-perhaps on a separate server. For the bookkeeper this may be difficult. However, a stand-alone computer could be kept for personal data, with the payroll software protected by the latest payroll provider updates, and the network itself protected by anti-virus and malware protection programmes.
Information held
Under the current Data Protection Act, manual records filed in a way that do not reference individual’s personal data are exempt. This is not the case with GDPR, and any information held this way must be reviewed and brought in line with the new regulation or deleted.
Information transfer
Currently the most common forms of information transfer are emails, memory sticks or notes written on paper and posted or handed to the recipient. These forms of data transfer are no longer suitable, as emails can easily be sent to the wrong recipient, memory sticks easily misplaced and pieces of paper inexplicably go missing. Storing information in the cloud is also problematic as there must be trust in the cloud provider’s data security.
So, what can the bookkeeper do to secure individual data and comply with GDPR? The ICO have written a document on these matters, specifically aimed at small organisations. The document is called ‘A practical guide to IT security’ and outlines 10 practical ways to keep your IT systems secure. It covers the following areas:
- Threats and risks to the data held by the business
- Different types of IT security available
- Moving, securing and backing up of data
- Staff training and awareness
- Identifying that an attack has taken place
- Minimising data and data breaches
- Checking third party compliance
By following these suggestions, the personal data held by the bookkeeper will be much more secure and GDPR compliant.
It will never be possible to ensure total data security. Somewhere, at some time, data will be leaked by someone or something. All the bookkeeper can do is minimise the chance of a leak by understanding the GDPR and taking the necessary safeguards to meet the requirements.
Julie Hodgskin, a fellow member of AAT, runs a licensed accounting practice and is a technical materials author for CIPP. A version of this article first appeared on AAT Comment.