Practice Matters - GDPR –The Truth and the Myths

Apr 19, 2018

Jeremy Twomey writes..

Billed as the most important change in data privacy regulation in over 20 years, and

with its enforcement deadline of 25 May 2018 fast approaching, ensuring General Data

Protection Regulation (GDPR) compliance has become a top priority for the majority of

Irish businesses.

 

Over the last year, the Institute has been helping its members to prepare for GDPR in a

number of ways. For example, we have provided guidance via articles in recent issues

of Accountancy Ireland, while in the last few weeks we have run a series of half day

roadshows and courses in a number of towns and cities across Ireland. In addition, the

Practice Consulting team has been busy preparing detailed practical guidance in this

area, explaining what the changes resulting from GDPR will mean for accountants and

their clients. This guidance will be available under the Knowledge Centre section of the

Institute website, and is designed to answer the GDPR-related questions that members

have contacted us on over recent months.

 

While preparing this guidance, it became evident that a number of “myths” have

developed over the last couple of years surrounding the implementation of GDPR. In

this article, I am going to address a few of these and try to help you ensure that you do

not fall foul of these, as you prepare to achieve GDPR compliance at your firm.

 

Myth 1 - GDPR Compliance is a once off project to be achieved by 25 May

With so much hype surrounding the regulation, one should remember it is not a once

off event or test for compliance. Unlike planning for the Y2K deadline in 1999, GDPR

preparation doesn’t end on 25 May; it requires ongoing effort. It’s an evolutionary

process for organisations; 25 May is the date that GDPR will be enforced but no

business stands still. You will be expected to continue to identify and address emerging

privacy and security risks in the weeks, months and years beyond May of this year.

GDPR will require ongoing governance of data, as organisations migrate to new

systems or apply their customer data to new markets and trends. Initial compliance is

the first heavy lift, but ongoing governance is the long-term reality!

 

All entities falling under GDPR should endeavour to be fully compliant by the

implementation day, although this may not be possible in all instances. In such

circumstances it is important that you address the essential elements of compliance at

your firm as soon as possible, and can demonstrate your ongoing efforts in this regard

in a comprehensive documented plan of work.

 

Myth 2 - GDPR is only for large firms, a small accountancy practice or company

is not expected to have the time or resources to achieve compliance

You will have to comply with GDPR, regardless of your size, if you process personal

data. Small accountancy practices do not escape the demands of compliance. GDPR

needs to be prioritised by all firms, regardless of size.

 

The vast majority of businesses across Ireland are small businesses and it is important

to remember these firms often process a lot of personal data, and their data protection

reputation and liability risks are just as real as for larger entities.

 

Myth 3 - With Brexit, entities located in the UK, including Northern Ireland,

will not have to comply with GDPR

GDPR will apply to all EEA countries and any individual or organisations trading with

them. As it comes into force on 25 May 2018 (before the UK is due to leave the EU), UK

individuals & organisations must ensure compliance with the new regime by then.

The British government has confirmed that the UK’s decision to leave the EU following

Brexit will not affect the commencement of GDPR.

Post Brexit, it is envisaged that if a UK organisation or individual processes personal

data, then they will have to do this in accordance with GDPR. To ensure that the UK will

be GDPR-compliant post Brexit, the new Data Protection Bill (currently going through

Parliament in London) incorporates all of the GDPR.

 

Myth 4 - GDPR is a completely new approach to Data Protection

It is vital to remember that GDPR builds upon the existing legislation in this area. It

is an update, not a wholesale revision, to meet the changes in technology and data

use over the last twenty years or so. As a result of these changes, consumers’ privacy

and data were not by now as well protected as they could be. GDPR rectifies this by

increasing the responsibility on organisations to use personal data appropriately and to

hold it securely.

 

Although GDPR is not a completely new approach, it is more stringent in its application

and the fines for non-compliance have been considerably increased. This means that

doing nothing is not an option, although GDPR does allow organisations to take a risk

based approach, based on your size and circumstances.

 

Many organisations struggle to assess where they should start in preparing for GDPR. It

is helpful to remember that we have had data protection legislation in both the UK and

the Republic of Ireland for a number of decades and therefore, firms who have taken

data protection compliance seriously are already in good shape for beginning to meet

GDPR’s increased compliance standards.

 

Myth 5 - GDPR is just more bureaucracy and work for small firms, with no

potential benefits

When legislation of this nature is announced, one can take either a positive or negative

view of the task at hand. If you take a negative view, you will see GDPR as more

bureaucracy and cost to your firm. If you take a positive view, on the other hand, you

will view GDPR as a necessary strengthening of the rights of individuals, and indeed a

potential opportunity.

 

As accountants position themselves as strategic advisers to clients, GDPR is also an

opportunity for firms to demonstrate to clients that they can securely hold and process

information in accordance with data requirements, and that protection of client data

is a priority for the practice. As a result, clients are likely to see their accountants as

trusted professionals with whom they can partner to drive their business forward.

Therefore, being a leader in this area may enhance your practice and its reputation.

 

In addition, as trusted business advisors to your clients, you must have sufficient

knowledge of this new legislation to be able to provide sound advice. SMEs need to be

ready when the new law comes into force, but they may struggle to know where to

start. Chartered Accountants in practice can help these small businesses bridge the gap

to GDPR compliance and, in the process, win new business.

 

Myth 6 - Outsourcing GDPR compliance will be a quick fix for me and my firm

There is no quick fix to GDPR compliance. No one piece of software or outsourced

service provider is going to provide everything you need to comply with GDPR. For

accountancy practices, GDPR will impact on how you manage and store data across

your entire firm (e.g. client, prospective client, contact, supplier and staff data). You

cannot outsource your responsibility for this information, and compliance with GDPR

will require considerable time and preparation from all levels within your practice.

With the implementation date of 25 May approaching quickly, it is important to start

sooner rather than later on this.

 

Myth 7 - GDPR only applies to Digital Processing

Under GDPR, data processing covers both automated personal data and manual

filing systems. Manual/paper records are included if they are part of a ‘relevant filing

system’. This means papers stored systematically, for example, in a filing cabinet are

probably included, but ad hoc paper files may not be.

 

Members should ensure that they apply the same levels of diligence to paper records

as they do digital records and that any decisions made regarding the lawful basis for

processing, adhering to data protection principles and upholding data subjects’ rights

include paper records held.

 

Myth 8 - Under GDPR, accountants will only be seen as Data Processors and

hence avoid much of the responsibility that falls on Data Controllers in this

new regulation

 

The UK Information Commissioner’s Office (ICO) has previously advised that it

considers that an accountancy firm providing accountancy services acts as a data

controller. The firm’s status as a data controller in relation to clients arises because

the firm has flexibility over the manner in which it provides services to its clients and

will not be simply acting on their instructions. In addition to this, the firm has its own

professional responsibilities regarding record-keeping and confidentiality. Therefore,

because an accountant “determines what information to obtain and process in order

to do the work”, firms act as “controllers in common” with clients. Under GDPR,

member firms will also be data controllers with regard to their firm data (e.g. employee

information). If there is any doubt regarding your status as a processor or controller in

relation to your firm’s activities, you should take legal advice.

Going forward, firms will need to ensure that client terms and conditions reflect this

reality, potentially extending engagement terms as appropriate.

 

No doubt, for many accounting practitioners, much work remains to be done to fully

meet GDPR compliance requirements. Between now and the end of May, firms new

to the process will need to examine their existing data processing, review their data

protection policies, procedures & controls, and identify any gaps that need to be

addressed. Following on from this, firms will need to implement any changes required

in a structured documented manner to meet the needs of GDPR and continue to show

full compliance long after the implementation date.

 

The Institute will continue to assist members on your GDPR compliance journey, with

ongoing updates to our available guidance in this area and, should you have a specific

query in this area, please feel free to contact the Practice Consulting Team.