Demystifying GDPR for accountants

Demystifying GDPR for accountants

GDPR introduces more stringent rules and responsibilities and carries hefty fines for non-compliance. How will the regulation affect accountants?

Demystifying GDPR for accountants

With less than six months to go before the EU General Data Protection Regulation (GDPR) becomes law, many may be reaching for the panic button. Firms cannot count on Brexit to let them off the hook; the GDPR will come into force on 25 May 2018 – before the UK leaves the EU – and the Data Protection Bill (the Bill) is progressing through Parliament designed to incorporate GDPR into our laws.

In terms of its significance, the ICO described the legislation as “game changing”. Although in many respects the new regime does not represent a break from current rules, it does introduce more stringent rules and responsibilities and carries hefty fines for non-compliance.

Even for those beyond the panic phase there remain knotty issues for accountants.

Controller or Processor?

In essence, whether a firm is a controller or processor will determine the extent of its GDPR obligations. Under existing law, the controller has the legal obligation to comply, processors only have to comply to the extent that the controller imposed contractual obligations upon it.

A controller incidentally is a person who alone, jointly or in common with others determines the purposes and manner in which personal data is processed. The processor is someone who acts on behalf of the controller, such as a payroll provider.

Where accountancy and indeed wider professional services is involved, the ICO makes it clear that responsibility can lie with the practice hired by the client. Because an accountant, for example, “determines what information to obtain and process in order to do the work”, firms act as “controllers in common” with clients.

Going forward, firms will need to ensure that client terms and conditions reflect this reality, potentially extending engagement terms to include data sharing-type provisions.

Handling client data

Under GDPR, data subjects are entitled to an awful lot more information about who has access to their data, why, and how long it is held.

Where accountancy firms are deemed data controllers in respect of the client’s data subject, this raises questions around the role of the firm in notifying and communicating with data subjects and how this sits alongside existing obligations and professional confidence. For instance, will firms need to send privacy notices to a client’s data subject, how far will firms need to comply with a data subject access request (DSAR) in respect of one of these data subjects, and if so, might that compromise professional obligations of confidentiality?

Fortunately, the GDPR says that fair processing information does not need to be provided where information must remain confidential because of obligations of professional secrecy. Accountants owe such obligations (for example those spelled out at section 140 of ICAEW Code) and so it is hoped that this will avoid the need to notify in many instances, while there may be other exemptions around impracticality.


Many firms place heavy reliance on consent in relation to both client data and internal data, such as employment contracts. This will require a complete overhaul.

For example, many firms currently rely on consent to justify staff data processing by including a generic clause in the employment contract. This one size fits all approach won’t work under GDPR; amongst other requirements, consent must be specific (to the processing), distinguishable, and freely given. Consent must be as easy to give as to withdraw, and if there is a clear imbalance between the parties, such as in an employment relationship, consent is presumed not to be freely given. Data subjects will be able to retract their consent at any time, preventing their data from being processed. In particular, this could be a real hassle if consent is withdrawn in the middle of a disciplinary process for example.

On the client side, we have already seen that, particularly where audits are concerned, the role of the accountant as data co-controller (rather than processer) is complex, and while a client can still validly consent if such consent is specific, fully informed and so on, how this interacts with the client’s own data and data subjects will need to be carefully reviewed and approached.

Consent is only one of a number of alternative bases for processing personal data. A data audit will identify the types of personal data you process and reveal other valid bases, such as:

  • Your legitimate interests (applicable to the processing of the client data subject’s data or why you need to monitor use of your IT systems by your workforce)
  • Because it is necessary for the performance of the contract (to pay salary and benefits for example)
  • Because of regulatory and legal obligations (statutory audits, security obligations and so on)

Identifying the gaps

With these pitfalls on the horizon, taking action now to map any gaps and shortcomings is critical. Get started by scoping the problem and mapping data flows.

Scoping is relatively easy for small accountancy practices but much more complex for multinationals with more of a “family forest” than a “family tree”. They need to work out where servers are located, where decisions are taken and decision makers are, how data is shared, which entities engage staff, and what “buckets” of data are relevant – employees, members, freelancers, marketing, clients, the clients’ clients and so on.

Data-mapping shows how data from information systems transfers to others; audits assess practices by looking at whether there are effective policies and procedures, if these are followed, and identifies improvements.

Scoping and mapping are important because you cannot begin to comply until you work out what, when, where, how and why, you process personal data, where you send it and who you share it with. This exercise will enable you to comply with the obligation to keep processing records (applicable in most cases) and will help inform decisions about the legal basis for processing personal data (which informs the content of GDPR compliant privacy notices).

This exercise should encompass a cross-border inventory of data flows (to inform your approach to overseas transfers) and a review of the third party processors you engage. Audits should review what due diligence you have in place to vet third-party processors prior to appointment. It also, perhaps self-evidently, involves reviewing and keeping under review, your data security arrangements.

Taking action

This type of exercise will almost certainly throw up the need to address some or all of the following policies and practices (not an exhaustive list):

  • Amending privacy notices, particularly regarding, for example, who has access to the data, why, how long it will be held for, and data subject rights
  • Moving away from consent and reviewing the effectiveness of consent already given
  • Amending internal staff-oriented policies
  • Renegotiating terms with third party suppliers
  • Reviewing training programmes
  • Overhauling and testing security (a huge issue in its own right)
  • Joining up and training specific teams to report and respond should there be an incident – an issue that is magnified for international firms working across different time zones.

At first glance, this seems like a scary cocktail of risk and a resource-drain. But, the significance of the rule change should not be taken lightly – there is a clear timeline, everyone is in the same boat, and there is still time to get the house in order – just.

Ellen Temperton is partner and co-head of the Data & Privacy practice at Lewis Silkin.


Subscribe to get your daily business insights

Resources & Whitepapers

Why Professional Services Firms Should Ditch Folders and Embrace Metadata

Professional Services Why Professional Services Firms Should Ditch Folders and Embrace Metadata


Why Professional Services Firms Should Ditch Folde...

In the past decade, the professional services industry has transformed significantly. Digital disruptions, increased competition, and changing market ...

View resource
2 Vital keys to Remaining Competitive for Professional Services Firms

2 Vital keys to Remaining Competitive for Professional Services Firms


2 Vital keys to Remaining Competitive for Professi...

In recent months, professional services firms are facing more pressure than ever to deliver value to clients. Often, clients look at the firms own inf...

View resource
Turn Accounts Payable into a value-engine

Accounting Firms Turn Accounts Payable into a value-engine


Turn Accounts Payable into a value-engine

In a world of instant results and automated workloads, the potential for AP to drive insights and transform results is enormous. But, if you’re still ...

View resource
Digital Links: A guide to MTD in 2021

Making Tax Digital Digital Links: A guide to MTD in 2021


Digital Links: A guide to MTD in 2021

The first phase of Making Tax Digital (MTD) saw the requirement for the digital submission of the VAT Return using compliant software. That’s now behi...

View resource