GDPR is now in force and even after Brexit it will remain in force through the Data Protection Act 2018 (DPA 2018).
GDPR gives rise to numerous changes including a substantial increase in the information that data subjects must receive, a need for more comprehensive records and policies, increased data subjects’ rights and, perhaps most infamously, potential for increased sanctions for non-compliance.
The deadline has passed but, to borrow the Information Commissioner’s words, 25 May was the beginning and not the end. There are still many issues for accountancy firms to consider.
Will there be a data adequacy decision in time for Brexit?
The UK will need to demonstrate that there is an adequate level of data protection in the UK to protect its data flows with Europe. The Exiting the European Union Committee has urged the government to start the process of obtaining an adequacy decision from the EU as soon as possible. If there is no adequacy decision in place at the end of transition period businesses will have to consider costly, contract-driven solutions to enable the flow of data from the EU into the UK. Any professional services firms operating across the EU should watch this space carefully.
Are accountancy firms data controllers or data processors?
One issue facing firms is whether they should be classed as a data controller or processor in respect of the personal data they receive from clients.
A data controller is the organisation that alone, jointly, or in common with others, determines the purposes and means of processing. A data processor, meanwhile, processes personal data on behalf of a controller. Whether a firm is a controller or processor will determine the extent of its GDPR obligations and what data protection provisions need to be in its terms of business.
ICO guidance (albeit issued under the earlier Data Protection Act 1998) states that firms will be controllers in respect of the personal data in their clients’ accounts. Though it will be contracted by the client to perform a specified service, a firm will determine what information it needs to obtain and process to do the work. It also has a number of professional responsibilities outside of simply acting on the client’s instructions (such as duties to report certain types of wrongdoing).
As both the client and firm are controllers it is then necessary to think about whether “joint controller” provisions of the GDPR apply. In our view, because of the accountant’s independent responsibilities and the relationship between accountant and client it may be inappropriate to try to apportion responsibility for compliance under a joint controller clause. ICO guidance on this is available. Both client and firm are independent controllers, or in other words, independently liable.
While the ICO position seems fairly clear, clients of professional services firms often believe their advisers are actually processors and try to impose – within terms of business – controller-to-processors clauses. Mandatory terms under the GDPR include conditions which control and limit what the “processor” can do with the data, meaning that, if agreed to, the adviser could process data only on the instructions of their client and the right to audit the processor’s systems (neither of which would be possible for accountants due to professional obligations and confidential duties).
Commercially this may place pressure on the relationship; while a client would expect the firm to cooperate, assist with compliance and provide reassurance around the firm’s information security practices, agreeing to the mandatory terms is very unattractive. If the firm also provides discrete services such as payroll, it may well be a processor in respect of this and a controller-to-processor agreement would be needed. Terms of business may need to cover both scenarios.
Processing special data
Firms may process client special personal data such as health data, for example during a statutory audit where the auditor may access information on employee sickness.
Processing of “ordinary” personal data would be justified on the basis that processing is necessary for legitimate interests pursued by the data controller. But this basis does not apply in the case of special data where the additional conditions which must be met do not always provide an obvious basis for processing – such as in relation to some of the services typically provided by consultants which may review levels of staff absence and how to address them. Clients will be increasingly careful about allowing unlimited access and will consider whether it is more appropriate to provide anonymised data to obtain advice.
Data subject rights requests
GDPR has also expanded the rights data subjects have in relation to accessing, restricting access to, and erasing their data.
Accountants may see an increase in these rights being exercised against them by their client’s data subjects and in particular in the number of data subject access requests (DSARs) they receive.
For example, a disgruntled ex-employee of a client may seek all the data the accountant holds about him or her. An individual making a DSAR request will be entitled to be given a copy of information constituting personal data of which s/he is the subject, as well as specific information about the source of the data, how long it will be kept for, who it might be disclosed to. Firms need systems to log and handle these requests and to ensure cooperation in appropriate circumstances.
Clients may not want the firm to provide information, but accountants must comply with their own obligations as a data controller. Exemptions are available but, unlike lawyers, accountants cannot rely on concepts like legal professional privilege as a reason for non-disclosure.
For accountants, indeed all professional services firms, trust and a strong client relationship is an important currency. The GDPR potentially creates obstacles which accountants must continue the work to navigate as data issues continue to increase in value and sensitivity.
Ellen Temperton is partner and co-head of Data and Privacy at law firm Lewis Silkin.