This article explores some of the Data Protection Act legal and compliance risks that accounting firms face when processing clients' confidential data.
Between 2011 and 2013 there was a 145% increase in penalty notices issued by the UK regulator [ICO]. A PricewaterhouseCoopers study found 60% of small businesses have had an information security breach in 2014.
Many accounting firms are moving their data systems to cloud solutions and rely on the data security infrastructure offered by the cloud provider; however, recent high profile information breaches from large organisations such as Amazon and Google have made accounting firms rethink using cloud. Larger companies can afford a more secure, sophisticated, protected cloud platform, but smaller companies will consider cost over security or compliance which makes them a target for determined hackers.
In addition to having an IT support company you can consult data protection experts for extra peace of mind; they can review and advise on your company's data infrastructure to reduce the chance of a data breach and how to reduce your financial and legal liability should an attack occur.
Here are some questions your business should consider to determine your data risk.
Do I have obligations as an accountant under the Data Protection Act? Yes, as data controllers you have responsibilities under the Data Protection Act when processing your client’s personal data. The ICO expects you to meet all eight principles of the DPA irrespective of the size of your company.
Can I outsource my responsibilities as a data controller to a third party? You cannot pass all of your responsibility to a third party if you use personal data as a data controller. As an accountant, you will generally have discretion in which third parties you choose to assist with processing your client’s records; however, the responsibility will remain the data controller's and any data breaches will be the liability of the accountant if he or she is classed as a data controller under the Data Protection Act.
Will I have liabilities if data stored on the cloud is breached or misused? As data controllers the responsibilities of how your data is managed is solely your responsibility. Therefore the accountant needs to ensure due diligence is applied when choosing a cloud platform to backup or store your data. The key considerations are:
Location of the data centre servers. It cannot be assumed that transferring your data to a third party cloud provider takes away your responsibility of the security of where and how the data lies within the cloud.
What are the chances of enforcement if a breach does occur? The ICO is to become more proactive in pursuing action against smaller companies going forward even when no complaint has been raised. A tougher regulatory environment is currently being implemented for 2015/2016. So far the ICO has levied fines for data breaches and we expect this activity to increase with the changes under the new regulation. A major factor in assessing your risks depends on whether any of your activities is likely to trigger a complaint.
Will using encryption technologies provide adequate protection? The term encryption is widely misused. In order to maintain compliance with the Data Protection Act, the encryption needs to be a relevant benchmark such as FIPS 140-2 certified compliant. The data generally needs to be stored in an EU data centre and you (as the data controller) need to maintain control of the encryption key.
What proactive steps can I take to protect my data? Undertaking a data security review now could highlight present failings or weak spots which would cause significant problems or breaches under DPA when the regulations come into effect. The regulations, including the means and reasons for processing of data, must be implemented into an enterprise's operation by design and by default. This involves appropriate technical and organisational measures.
Identifying how your data is treated in your business will put you in an advanced position to not only comply with the regulation but protect your business.
About the author This article has been written by JMS Secure Data, which has over 15 years’ experience within IT data security development and operates primarily in the accounting sector. We work with accountants to provide solutions to be compliant under the Data Protection Act (DPA) by encryption, data backup and secure cloud.
This article does not constitute legal advice and if you have any concerns regarding data protection then please contact us.
If you would like to discuss any data security issues for your business please contact us.