By Iwona Tokc-Wilde GDPR How do you stay compliant working from home? 6 Nov 2017 Self-employed members ask this question time and time again, so we’re taking a closer look at the key practices they need to follow. Non-compliance with relevant laws and regulations can open you up to disciplinary action, fines, lawsuits, loss of reputation and loss of business. It’s the stuff of nightmares for any licensed accountant or bookkeeper, so it’s no wonder you are anxious to know if you are doing things right. The biggest headaches Some aspects of compliance cause a bigger headache than others. Feedback from AAT practice assurance reviews carried out so far in 2017 shows that members typically fall short in these five significant areas: Anti-money laundering procedures. IT and data security, including not being registered under the Data Protection Act, registered incorrectly or unaware of the upcoming changes to GDPR. Terms of engagement, including non-compliance with the requirements of the Client Care policy. In some instances engagement letters were not found. Provision of Services Regulations 2009 (PII details not provided to client). CPD, including lack of practice management training and inadequate records. Helen Barrett, Professional Standards manager at AAT, points out that home-working members may find adhering to data protection legislation and ensuring confidentiality particularly challenging. She says: “They need to have adequate measures in place to make sure personal information is being protected, retained in a secure location and backed up regularly. They must also maintain confidentiality of information at all times and be alert to the possibility of accidental disclosure, particularly in circumstances involving close relations.” Data protection and security Andy Housley, owner of Square 1 Accounting, works on his own. He says: “Being a one-man-band, I have just one laptop and that’s it.” Although the vast majority of his client data is stored in the cloud, either through the accounting packages he uses or via Dropbox, he does hold some of it on the laptop. He’s not the only one, so how can you ensure client data security if you store data locally? Edward Whittingham, managing director of the Business Fraud Prevention Partnership, says you need at least these basic IT security measures: anti-virus software, anti-malware software and a firewall. He adds: “Your email passwords must be strong and different for your work and personal accounts. One central email account often acts as the gateway for resetting passwords for all connected accounts.” He also points out that users are often the weakest link if they lack cyber security awareness. “You may need to get up-skilled to be able to spot phishing emails and ransomware, and understand all the other means by which fraudsters can target your data.” Linus Chang, chief executive of Scram Software, confirms that ransomware attacks, as well as hardware failure, are indeed the biggest risks for locally stored data. He says: “I highly recommend you take regular backups to at least two different encrypted physical media (such as USB hard drives) that are swapped regularly and get disconnected from the server. This is important: ransomware and hackers cannot attack a backup if it’s sitting in a safe or on a shelf, but people have backups attacked when they are still connected to the server.” Chang also recommends a separate backup to the cloud, using client-side encryption to secure the data. But does this make Dropbox, for example, totally secure? Whittingham says: “No, unfortunately no data is ever totally secure, no matter where it’s stored. Data that traverses the internet is also at risk of cyber-attacks or data leaks as a result of negligence. There isn’t a golden bullet to fix security 100%. Instead, swat up on cyber security, adopt best practice and do all of the right things to keep the data as secure as possible.” Members find that using cloud-based accounting software helps with data security, too. Mariah Tompkins, founder of WKM Accountancy Services, uses QuickBooks Online. She says: “All client information is encrypted and hence kept confidential and secure external to the business. We also regularly update our passwords and access codes.” The Audit Trail security feature records every user who logs into the service and any changes made to transactions. All files are backed up automatically and scanned for viruses, and you can share files securely with clients. Staying on top of compliance Generally, online tools and specialist software make compliance less of an administrative burden. “When you start, you may be able to track everything on a spreadsheet, but as you grow you need more automation,” says Rob Ellis, partner at Welch & Ellis Accountants. He uses Creditsafe for AML checks, and Practice Ignition for client take-up including engagement letters. Some software providers offer training or email updates on any changes to relevant legislation and regulations. “The HMRC’s website, their online seminars and agent tools including newsletters and email updates are also very good resources for what’s happening regulatory-wise,” says Housley. Tompkins has signed up to email updates from AAT, which flag up the latest legislation updates and useful resources. “At the moment, we’re getting ready for the new GDPR rules which will take effect from 25 May 2018,” she says. Tompkins adds: “We also follow AAT guidelines on how to stay compliant with AAT’s practice standards, policies, regulations and statutory obligations, and if we are unsure about anything, we can always ring them to verify this.” You can contact the Professional Standards team on +44 (0)20 3735 2468 or by email at firstname.lastname@example.org. Finally, here’s a list of resources you can use to help you stay compliant: Compliance with GDPR Visit the ICO website Compliance with AAT policies and regulations Visit the AAT licensing area of our website for the following: Licensing policy Licensing Regulations Client Care policy Clients’ Money policy Continuity of Practice policy Professional Indemnity Insurance policy Practice Assurance standards Money Laundering Regulations AAT Code of Professional Ethics Guide for Self Employed Members Keeping your skills and competences up to date AAT has a range of CPD tools and guidance to support members offering services to the public on a self-employed basis. For further information, visit AAT Professional Zone. Iwona Tokc-Wilde is a business journalist.