Jeremy Twomey writes:
Billed as the most important change in data privacy regulation in over 20 years, and with its enforcement deadline of 25 May 2018 fast approaching, ensuring General Data Protection Regulation (GDPR) compliance has become a top priority for the majority of Irish businesses.
Over the last year, the Institute has been helping its members to prepare for GDPR in a number of ways. For example, we have provided guidance via articles in recent issues of Accountancy Ireland, while in the last few weeks we have run a series of half day roadshows and courses in a number of towns and cities across Ireland. In addition, the Practice Consulting team has been busy preparing detailed practical guidance in this area, explaining what the changes resulting from GDPR will mean for accountants and their clients. This guidance will be available under the Knowledge Centre section of the Institute website, and is designed to answer the GDPR-related questions that members have contacted us on over recent months.
While preparing this guidance, it became evident that a number of “myths” have developed over the last couple of years surrounding the implementation of GDPR. In this article, I am going to address a few of these and try to help you ensure that you do not fall foul of these, as you prepare to achieve GDPR compliance at your firm.
Myth 1 - GDPR Compliance is a once off project to be achieved by 25 May
With so much hype surrounding the regulation, one should remember it is not a once off event or test for compliance. Unlike planning for the Y2K deadline in 1999, GDPR preparation doesn’t end on 25 May; it requires ongoing effort. It’s an evolutionary process for organisations; 25 May is the date that GDPR will be enforced but no business stands still. You will be expected to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May of this year. GDPR will require ongoing governance of data, as organisations migrate to new systems or apply their customer data to new markets and trends. Initial compliance is the first heavy lift, but ongoing governance is the long-term reality!
All entities falling under GDPR should endeavour to be fully compliant by the implementation day, although this may not be possible in all instances. In such circumstances it is important that you address the essential elements of compliance at your firm as soon as possible, and can demonstrate your ongoing efforts in this regard in a comprehensive documented plan of work.
Myth 2 - GDPR is only for large firms, a small accountancy practice or company is not expected to have the time or resources to achieve compliance
You will have to comply with GDPR, regardless of your size, if you process personal data. Small accountancy practices do not escape the demands of compliance. GDPR needs to be prioritised by all firms, regardless of size.
The vast majority of businesses across Ireland are small businesses and it is important to remember these firms often process a lot of personal data, and their data protection reputation and liability risks are just as real as for larger entities.
Myth 3 - With Brexit, entities located in the UK, including Northern Ireland, will not have to comply with GDPR
GDPR will apply to all EEA countries and any individual or organisations trading with them. As it comes into force on 25 May 2018 (before the UK is due to leave the EU), UK individuals & organisations must ensure compliance with the new regime by then. The British government has confirmed that the UK’s decision to leave the EU following Brexit will not affect the commencement of GDPR.
Post Brexit, it is envisaged that if a UK organisation or individual processes personal data, then they will have to do this in accordance with GDPR. To ensure that the UK will be GDPR-compliant post Brexit, the new Data Protection Bill (currently going through Parliament in London) incorporates all of the GDPR.
Myth 4 - GDPR is a completely new approach to Data Protection
It is vital to remember that GDPR builds upon the existing legislation in this area. It is an update, not a wholesale revision, to meet the changes in technology and data use over the last twenty years or so. As a result of these changes, consumers’ privacy and data were not by now as well protected as they could be. GDPR rectifies this by increasing the responsibility on organisations to use personal data appropriately and to hold it securely.
Although GDPR is not a completely new approach, it is more stringent in its application and the fines for non-compliance have been considerably increased. This means that doing nothing is not an option, although GDPR does allow organisations to take a risk based approach, based on your size and circumstances.
Many organisations struggle to assess where they should start in preparing for GDPR. It is helpful to remember that we have had data protection legislation in both the UK and the Republic of Ireland for a number of decades and therefore, firms who have taken data protection compliance seriously are already in good shape for beginning to meet GDPR’s increased compliance standards.
Myth 5 - GDPR is just more bureaucracy and work for small firms, with no potential benefits
When legislation of this nature is announced, one can take either a positive or negative view of the task at hand. If you take a negative view, you will see GDPR as more bureaucracy and cost to your firm. If you take a positive view, on the other hand, you will view GDPR as a necessary strengthening of the rights of individuals, and indeed a potential opportunity.
As accountants position themselves as strategic advisers to clients, GDPR is also an opportunity for firms to demonstrate to clients that they can securely hold and process information in accordance with data requirements, and that protection of client data is a priority for the practice. As a result, clients are likely to see their accountants as trusted professionals with whom they can partner to drive their business forward. Therefore, being a leader in this area may enhance your practice and its reputation.
In addition, as trusted business advisors to your clients, you must have sufficient knowledge of this new legislation to be able to provide sound advice. SMEs need to be ready when the new law comes into force, but they may struggle to know where to start. Chartered Accountants in practice can help these small businesses bridge the gap to GDPR compliance and, in the process, win new business.
Myth 6 - Outsourcing GDPR compliance will be a quick fix for me and my firm
There is no quick fix to GDPR compliance. No one piece of software or outsourced service provider is going to provide everything you need to comply with GDPR. For accountancy practices, GDPR will impact on how you manage and store data across your entire firm (e.g. client, prospective client, contact, supplier and staff data). You cannot outsource your responsibility for this information, and compliance with GDPR will require considerable time and preparation from all levels within your practice. With the implementation date of 25 May approaching quickly, it is important to start sooner rather than later on this.
Myth 7 - GDPR only applies to Digital Processing
Under GDPR, data processing covers both automated personal data and manual filing systems. Manual/paper records are included if they are part of a ‘relevant filing system’. This means papers stored systematically, for example, in a filing cabinet are probably included, but ad hoc paper files may not be.
Members should ensure that they apply the same levels of diligence to paper records as they do digital records and that any decisions made regarding the lawful basis for processing, adhering to data protection principles and upholding data subjects’ rights include paper records held.
Myth 8 - Under GDPR, accountants will only be seen as Data Processors and hence avoid much of the responsibility that falls on Data Controllers in this new regulation
The UK Information Commissioner’s Office (ICO) has previously advised that it considers that an accountancy firm providing accountancy services acts as a data controller. The firm’s status as a data controller in relation to clients arises because the firm has flexibility over the manner in which it provides services to its clients and will not be simply acting on their instructions. In addition to this, the firm has its own professional responsibilities regarding record-keeping and confidentiality. Therefore, because an accountant “determines what information to obtain and process in order to do the work”, firms act as “controllers in common” with clients. Under GDPR, member firms will also be data controllers with regard to their firm data (e.g. employee information). If there is any doubt regarding your status as a processor or controller in relation to your firm’s activities, you should take legal advice.
Going forward, firms will need to ensure that client terms and conditions reflect this reality, potentially extending engagement terms as appropriate.
No doubt, for many accounting practitioners, much work remains to be done to fully meet GDPR compliance requirements. Between now and the end of May, firms new to the process will need to examine their existing data processing, review their data protection policies, procedures & controls, and identify any gaps that need to be addressed. Following on from this, firms will need to implement any changes required in a structured documented manner to meet the needs of GDPR and continue to show full compliance long after the implementation date.
The Institute will continue to assist members on your GDPR compliance journey, with ongoing updates to our available guidance in this area and, should you have a specific query in this area, please feel free to contact the Practice Consulting Team.