There is less than one year before the biggest change to data-protection law in 20 years.
Europe’s General Data Protection Regulation (GDPR) will give citizens greater control over their personal data (name, address) and “sensitive data” (their political opinions, ethnicity) held by organisations.
The law, which will apply to all UK businesses from May 25 2018 and be unaffected by Brexit, will have tougher fines for organisations that break data rules and give individuals greater control over the data organisations keep.
Businesses could be fined up to €20m or 4% of their global turnover if their they break GDPR rules.
“The new data fines could potentially put businesses out of business,” says Darron Gibbard, chief technical security officer at Qualys, which makes information and compliance software for small business.
Most employers in the UK, including accounting firms, will be affected by the new law, which highlights the importance of good cyber security.
How can accountants help their businesses and their clients prepare for the new data-protection rules?
GDPR aims to “give control of personal data back to citizens and residents”, says Andrew Rogoyski, vice president of cyber security services at CGI, a large IT security consultancy, who ran a workshop on cyber security at AAT’s annual conference.
The new data rules will also:
- Introduce the “right to be forgotten” (people can ask for their personal data to be deleted)
- Expand the definition of personal data to include any data that can be used to identify an individual, such as IP addresses or biometric data
- For the first time, businesses will have a statutory duty to report serious data breaches to the regulator. In some cases, businesses will need to inform individuals if their personal data has been hacked or lost.
Under the new rules, companies can also be fined if data they have outsourced to their supplier is lost or hacked into.
These changes will have a major effect on accountants who process personal information including national Insurance numbers and bank and tax details, which may be used to identify an individual, says Rogoyski who previously worked for the Cabinet Office’s Office of Cyber Security and Information Assurance.
Accountants must be able to identify the types of data and information that is held across their business and acknowledge the relative importance of the data and how it’s used.
Businesses must understand where information is held, how it is processed and what controls are applied − including the use of third-party systems and services such as cloud computing, Rogoyski says.
Preparations for the GDPR will depend on the size of your business, how much personal data it has and what type.
Experts advise starting by reviewing all your data − any personal information held on paper records or electronically; customer details, suppliers, legal contracts and HR records.
Then scan documents and put them in a PDF format. A document management system can help you organise the information.
This data audit may take a minimum of six months for a small organisation or years for a big organisation, says Gibbard.
Next, work out what your most important data is and where it is, then check it’s secure.
Accountants should work with legal and regulatory/compliance teams to prepare for GDPR, experts say. Smaller businesses or accounting firms may lack these experts in-house, so may need to use contractors or suppliers.
It personal data is lost or hacked, an organisation will need to show the information watchdog that it had done everything possible to keep its data secure – for example, information security software and training staff about data protection.
The GDPR will also require companies to report some types of unauthorised leaks or hacks of data to the regulatory authorities within 72 hours. “This will mark a significant change in the status quo,” Rogoyski says. “We believe only a small minority of cyber breaches in Europe are currently revealed to the public.”
Getting ready for GDPR is a team effort. Accounting firms and accountants in business should work with IT professionals to review their organisation’s IT security (technology such as firewalls and anti-virus software), map where personal data is, and prioritise securing the most confidential types of data.
Next, check that staff in your business have been trained in data security and cyber security. What will you do if your IT security is breached? Do you have an “incident response” plan including how to pinpoint the problem, minimise the damage and inform the authorities if necessary?
Secure your supply chain
Don’t forget about third parties, including your clients (are they keeping their data secure?) and your suppliers.
As more financial data is kept online in the cloud, often in a server outside the European Union, you need to know if your software supplier complies with data regulations and has strong IT security technology and procedures (for example, ISO/IEC 27000, a widely recognised international standard for keeping information secure).
The new data-protection rules are tougher on IT suppliers. For example, an IT supplier must hand back or delete personal data held on behalf of their business customer after their contract finishes, says Anthony Lee, partner at DMH Stallard, a law firm.
Outsourcing data protection to a supplier won’t get businesses off the hook. They can still be fined if their suppliers break data-protection rules.
Lee, who advises businesses on data protection and cyber security, says that companies may want to insert a clause in their contract with their supplier giving them the right to make inspections of their supplier to check that it’s complying with new data-protection rules.
Accountants can make compliance smoother by using their analytical skills and business knowledge to audit financial data and supply chains and liaise with legal, IT and compliance experts within their business and clients.
On the plus side, organising and securing data in preparation for GDPR may help businesses better understand customers and reduce the likelihood of data breaches.
Nick Huber is a freelance journalist and has written for Accounting Technician magazine, The Guardian and BBC.