By Jesse Onslow Norton GDPR General Data Protection Regulation is coming – what you need to know 21 Apr 2017 No one who lived through the 1990s will ever forget the screeching tones of dial-up internet. The dawn of the digital age was a strange time: spreadsheets were delivered to accountants on floppy disks and mobile phones, if you could afford one, had foot long antennas. Technology has come an awfully long way in the past three decades, but, unfortunately, the same cannot be said for data protection legislation. The European Union’s current data protection guidelines were adopted as far back as 1995. Designed to protect an individual’s right to privacy, the Data Protection Directive requires firms which digitally store personal information to follow good handling practices. Now, in the era of smartphones and social media, more companies have access to sensitive data than ever before and the legislation is due for an update. New rules for the digital world In April of last year, the European Union adopted the General Data Protection Regulation (GDPR) to give citizens greater control over how their information is used. Businesses in all member states must be compliant with the new framework by 25 May 2018 — and this includes the UK too. Following the UK’s decision to leave the EU Matt Hancock, the minister responsible for data protection, was asked by the House of Lords committee whether the UK would still adopt GDPR. Hancock reaffirmed that the government intends to fully implement GDPR, and would do so in line with the existing schedule laid out by the EU. The new rules will apply to two types of actor: data “controllers” and data “processors”. The former are individuals or organisations which determine how and why personal information is processed. The processors themselves are third parties who have access to data. Don’t let the jargon fool you: GDPR isn’t just going to apply to Internet giants like Facebook and Google. Accountancy firms also store sensitive information on their clients — from National Insurance numbers to bank account information. This means that accountants and bookkeepers must be ready to comply with GDPR. With one year left to prepare, some firms might still be wondering where to begin. Figuring out who in an organisation has access to protected data is a crucial first step. “Start off by identifying your personal data,” urges Liam McKenna, partner in the Consulting Services practice at global accounting group Mazars. “Understand what the definition of personal data is, get somebody in your organisation to take responsibility for it and engage with different divisions within the accountancy practice, because they’re all going to have different personal data.” Keeping clients safe Penalties for non-compliance are high. The EU has proposed fines of €20m or four percent of global turnover if a business fails to adhere to the rules of the GDPR. This is because leaving data unprotected is now a serious threat to economic productivity. Government figures show that two thirds of large businesses in the UK experienced a cyber breach in the year to May 2016. It’s vital that accountancy firms, both large and small, ensure their computer systems are protected from hackers. In practice, this might mean bringing in IT consultants and investing in new technologies to make sure that client information is secure. “Accountants and bookkeepers should carry out a risk assessment on current systems, such as a data protection health check, to identify any potential risks of non-compliance or vulnerabilities,” says Farida Rahman-Wright, professional standards manager at AAT. “They should also consider installing encryption software on all PCs and devices in accordance with Information Commissioner’s Office guidelines.” However, no security system is going to be totally foolproof. This is why the GDPR also includes new reporting guidelines for data breaches. Under the regulations, an organisation will have 72 hours to inform the relevant supervisory authorities of a cyberattack. Accounting firms should establish reporting procedures to ensure they’re ready to spring into action if the worst does happen. The GDPR sets a more rigorous standard for maintaining customer data and the computer systems that store it. Under the rules, individuals can also request that their data is deleted if there is no good reason for a firm to store it. While the ‘right to be forgotten’ is designed to protect consumers, data processors should be aware that deleting information is not as simple as dragging a file into the trash. “Data erasure can be difficult due to backups, multiple systems and cloud storage,” warns Rahman-Wright. “If customers request that their data is deleted, a reliable process must be in place, while if data is deleted accidentally it must be reported. Companies in possession of the data must also notify other holders of the data that consent has been withdrawn and data should be erased.” Accounting firms already have all of the skills a business needs to successfully comply with the GDPR. Being comfortable with data and adhering to strict handling procedures is all in a day’s work for bookkeepers and accountants. Come May 2018, the accounting profession will have another opportunity to show clients that their data is in safe hands. Jesse Onslow Norton is a writer, editor and communications consultant at Flibl. A former coder, his editorial work focuses on fintech, digital transformation, policy and regulation. His clients include corporations, governments, startups and SMEs from across the world. Follow him on Twitter @JesseOnslow.