The dust has settled, the 25th May 2018 has passed… All businesses, including accountancy practices, in the UK are now compliant with the new “all bells and whistles” data protection legislation: the General Data Protection Regulation, otherwise known as GDPR. Or are they?
GDPR compliance for accountants in 12 steps
This article details the steps I have taken, as a professional accountant, towards GDPR compliance for my own practice. It follows the 12 steps from our workbook solution but, whether you chose to use our workbook or not, I hope the article will give you a good overview of the key steps to follow to achieve GDPR compliance for your own accountancy firm.
In the lead up to the May 2018 deadline the ACCA backed a workbook solution to GDPR compliance for accountants that I co-authored with GDPR Auditing Ltd. The version we produced is written specifically for accountants. Demand for the workbook was significant and as an aid to subscriber firms I wrote a log of my progress, completing the twelve sections of the workbook for my small practice. A copy of these notes are reproduced below.
My experience of completing the 12 steps to GDPR compliance for accountants is documented below:
STEP 1 – Assigning responsibility for GDPR Compliance
Our Workbook (Tab one) is described as “Data Security Owner” (DSO). Under the GDPR someone needs to take responsibility for steering a business through the compliance process.
On the face of it, this is a simple decision for me as I am a sole trader and I have no staff. My choices are:
- Take on the role myself, or
- Delegate the role to a qualified 3rd party
I considered approaching my IT support company, but now I know more about GDPR, I have a sneaking suspicion that I know more about the process than they do.
I could also ask my colleagues at GDPR Auditing to do the work for me, but this quite rightly, would involve additional costs and it would defeat the object of this present exercise, which is to path-find the whole process for practitioners.
Most sole practitioners will find themselves in a similar position to me, larger practices may have a number of individuals who are suitable to take on the role. Before making a decision make sure you read through the three checklists on sheet one of the Workbook, as these will guide you on the duties, qualities and responsibilities that a DSO will need to embrace.
I have minuted that I will be the Swan Partnership Data Security Owner and I have applied myself to changing the “No” entries on my DSO checklists where appropriate. The checklists are split into three sections:
- Duties on the DSO
- Qualities of the DSO
- Organisations responsibilities
Some of the first section can only be completed when other parts of the process are completed, but I have managed to select “Yes” or “n/a” to most of the sections and this is a checklist that I will return to in due course.
STEP 2 GDPR Workbook – completing Record of Processing
The second step in my progress towards GDPR compliance is to complete the next page in my GDPR Workbook, the Record of Processing.
What is the Record of Processing?
It is an editable list of the variables that are used to create the various reports and tables throughout the Workbook. In effect, its a record of information about your practice and a description of certain data that describes the types of personal data you manage and other standard statements required by the GDPR.
Much of the work is already done for you
You will need to read and edit the information in column D of the Workbook sheet, it’s highlighted in blue. In my case, I changed the practice information and made minor changes to the pre-filled standard statements.
STEP 3 – Editing the Data Retention Schedule
The third step is a review and edit of the entries in the Data Retention Schedule.
What is the Data Retention Schedule?
The Data Retention Schedule is the place where you record various information about ALL sources of personal data you hold; whether this be of clients, prospects, staff or other business contacts.
In a nutshell it lists a variety of record types that cover the data, who looks after it, any basis for retention and other considerations required under the GDPR.
Again, much of the work is done for you
Before you panic, I pre-populated the first twenty lines of the Schedule with a generic description of most of the data records an accountancy practice will create. Accordingly, all you will need to do, as I have just done for the Swan Partnership, is edit, add or delete to mirror your practice data retention routines. In particular you should list the names of third-parties in column M of the worksheet, who are sent your personal data records.
STEP 4 – create a Privacy Notice for your online resources
This week my GDPR chore was to edit the Privacy Notice in the Workbook and send it to my website developer.
What is a Privacy Notice?
The Privacy Notice is required to be accessible from any online resources that you use to collect personal data. Your website is the prime example, but it could be Facebook, Twitter or other social media platform that your practice uses. The Notice explains how you respect, protect, collect and otherwise manage the personal data collected from your online platforms.
Do I have to create this document from scratch?
No… The Workbook creates the basic document based on the information you have already entered in steps 1 to 3. However, you will need to edit the copy. I suggest you follow the process I completed today. It was:
Edit the Workbook page for Step 4, you can edit the text where necessary (The key section is columns D and E). Don’t worry too much at this stage about layout, fonts etc.
When you have completed your basic edit highlight the range D4 to E125, right click and Copy, and paste into a new Word document. From here you can tidy up formatting and use this document to send to your web developer(s).
STEP 5 – create a privacy notice for your employee contracts
This part of the process was to edit the Privacy Notice in the Workbook and incorporate the finished document into my employee contracts. I need to confess that I have no employees, but I did edit the worksheet so that I could report on what is involved. Sheet 5 builds a privacy notice that communicates the way in which you manage the personal data of your staff.
Do I have to create this document from scratch?
No… The Workbook creates the basic document based on the information you have already entered in steps 1 to 4 and the standard copy we have added. However, you may need to edit the text. I suggest you follow the process I completed today. It was:
Edit the Workbook page for Step 5, you can edit the text where necessary (the key section is columns D and E). Don’t worry too much at this stage about layout, fonts etc. The blue text cannot be edited on this page, it is drawn from sheet 2, The Record of Processing, you will need to access sheet 2 if you want to edit this part of the text. The black text can be edited.
When you have completed your basic edit highlight the range D4 to E173, right click and Copy, and paste into a new Word document. From here you can tidy up formatting and use this document to incorporate into your employee contracts.
STEP 6 – create Client Agreement Notice
The GDPR requires that we are conscious of the terms we agree with persons who share their personal data with us. For accountants this is normally covered in terms and conditions that accompany client engagement letters.
Step 6 of our GDPR Workbook draws out the issues that need to be covered. Most of the information on Step 6 is drawn from the Record of Processing. Basically, the black copy can be edited.
No short cuts, just need to read the copy and change as necessary.
Changes to your letters of engagement?
The final section is important, the example contractual terms. You should already have something similar in your existing engagement letters. Edit the text on your workbook and then copy and paste into your present documents. This may cause complications if your professional overseers determine what goes in your T & Cs and engagement letters. If the two are at variance you should take up the differences with your professional body.
STEP 7 – Marketing Consent
Sheet 7 of the GDPR Workbook covers the gritty subject of consent. It is a checklist recording that you have considered, acted on and reviewed your obligation to seek, obtain and record consent where this is required by the GDPR. For each item listed on the checklist you need to change the status of the Check column to read “Yes” or “n/a”.
This section of the workbook is targeted, for accountants, at their business prospects, those individuals who in the past have informally consented to receive your newsletter or other marketing communications.
However unnecessary the process may seem. To comply with the GDPR your continuing consent to send marketing information needs to be evidenced from 25 May 2018.
How do we obtain consent?
I recommend that you login to your user portal, goto the 12-Steps(L) link and open and read the Consent PDF. Basically, there is no quick fix to this part of the process.
Consult with your marketing advisors
Most practices use a third party process to send marketing information. I suggest that you contact them and ask for a written assurance that the processes set out in the GDPR, and enshrined in your Workbook checklist, are observed. If not, you will need to re-think the way that your practice gathers and evidences consent and contact your existing marketing lists to seek adequate consent.
Do I have to seek separate consent to email clients with marketing material?
If your terms and conditions and letters of engagement include a statement that you send out “marketing” information to clients from time to time – and clients were able to opt in or out of this at the time you signed them up – then this should be considered sufficient consent. In which case further consent should not be required. However, this consent should not be bundled with the contract. i.e. you would be hard put to argue that receiving marketing and newsletters was a precondition of the accounting services.
Won’t I lose most of my marketing contacts?
When I first considered this issue of consent for my own businesses I realised that my existing records of consent were non-existent, and that I would need to start again, sending out requests for a formal (double opted-in) consent from contacts to cover the GDPR requirements. I will undertake this work before 25 May. Although this may result in the loss of 90% of my marketing contacts (and there are thousands) realistically only 10 or 15% open my marketing emails. So having a “willing to participate” list, all-be-it much reduced, is perhaps a worthwhile housekeeping process.
Time to bite the bullet on this issue. Read the Consent PDF, speak with your newsletter/marketing managers, if necessary, re-enrol your marketing lists in accordance with the GDPR and then complete your check list on sheet 7 of the Workbook.
STEP 8 – Security Awareness Log
This part of our workbook records that your staff have read and acknowledged their responsibilities under the GDPR by reading your practice Information Security Policy.
What is an Information Security Policy?
We have published a guide “Information Security Policy” on our support portal, the Supporting Documents section. The introduction to this document says:
This Information Security Policy is designed to provide your organisation with detailed guidance on common IT processes and procedures, and some good practice. It is intended to cover the Information Technology required for the GDPR.
In other words, it informs staff how they need to behave when using IT and data in your practice.
What do staff need to do?
To complete this section you will need to direct your staff to read our detailed Information Security Policy Review. This is a supporting document you can access on your GDPR support portal.
Record individual compliance with this obligation on the Workbook log, section 8. For completeness, you should ensure that you download the draft Security Awareness Training acknowledgement and each staff member should sign as appropriate.
Is this a one-off exercise?
You will need to repeat the process annually, for existing staff, and as part of your induction processes for new staff. If the rules change we will update the various guides and templates.
STEP 9 – 3rd party contracts
This section of the Workbook deals with issues arising from the placement of personal data under your control with 3rd parties. For example, subcontractors and software vendors where your data is held in the cloud.
No short cuts here
Without confirmation that these 3rd parties are GDPR compliant it would appear that lapses in their security arrangements then become your problem.
The last three sections of this page provide details of the sorts of terms that should be included in contracts, whether you are the Controller or Processor in the arrangement.
Resources in the support portal
You should also read the guide (step 9) set out in the “12-Steps” section of the support portal. You can also download a “Draft request to send to 3rd parties” that you can adapt (see the Templates and Downloads section of the support portal).
For me, the major issue is chasing up software vendors. Once you are confident of the terms you need to agree with 3rd parties, you will need to be persistent to secure their confirmation that contracts in place confirm GDPR compliance.
STEP 10 – requests from data subjects
Action is only required here when you receive a formal request from a data subject for details of the personal data you hold.
The Workbook log includes statutory deadlines and maps the way you have dealt with requests.
For background on your responsibilities in this area read the Step 10 support notes.
Pleased to say there are no entries thus far in my log…
STEP 11a and 11b record of data breaches
From a GDPR perspective, data breaches are our worst nightmare. By accessing our systems, hackers and the like gain access to personal data placed in our care; and the consequences can be dire.
Read the support notes
The two pages in your workbook, 11a and 11b, provide the means to log these breaches, if they ever occur, and the action you have taken thereafter.
Read the relevant support notes. All of the work you have done in completing your GDPR Workbook is aimed at minimising data breach and its consequences.
Pleased to say that thus far I have no breaches to report.
STEP 12 – the Technical and Organisation Security Measures (TOSM)
For me, this is the most daunting part of the compliance process. Definitely outside my comfort zone.
Still work to do here
I have to confess that I am unlikely to have this completed for the 25th deadline. I am in conversation with IT support contractors I use and everyone seems to have a different appreciation of what is required.
What is the TOSM?
The TOSM is a comprehensive check list of the data and organisational issues you need to deal with in order to be compliant with the GDPR.
Read the support documentation
Again, you will find supporting documentation in the support portal. Where necessary you will need to consult with the staff or outside
contractors who look after your IT and other related matters.
Job done – these 12 steps form the basic structure of our workbook to enable GDPR compliance for accountants
Or you can call me to discuss your concerns regarding GDPR compliance – Bob Edwards 07879 896073