If GDPR remains an issue for you or your clients, Bob Edwards FCCA has some advice.
The new Regulation came into force on 25 May and the world didn’t come to an end. Bob Edwards FCCA of Landmark and his partners at GDPR Auditing Ltd share some thoughts on that and what has happened since.
Can we all now breathe a sigh of relief and get back to business as usual? The day job – dealing with clients’ affairs – is the important stuff and as far as we can tell the GDPR is just one more raft of red tape to be side-lined. Is this a realistic reaction to the advent of GDPR?
UK businesses tend to make light of legislation that takes them away from their core activity of surviving while also making money. Accountants are no different in this respect. The difference, of course, is that as an accountant you are almost certainly handling the personal data of clients and in the case of payroll functions the personal data of clients’ employees.
Ask yourself these questions:
do you think GDPR doesn’t apply to you?
are your clients asking you about your compliance status, and if not when are they likely to?
what will happen if a client asks you to confirm that you are GDPR compliant and you cannot give that assurance?
as a regulated professional, shouldn’t you be legal and above board with all relevant legislation?
will your professional body support you, endorse your lack of compliance, if you are potentially breaking the law?
will your professional indemnity insurers cover the downtime risks of serious data breaches if your personal data management falls outside the standards set by the GDPR?
And then consider the following:
the GDPR applies to every business that manages the personal data of other individuals
sooner or later one of your clients (probably one of your larger clients) will need confirmation that you are compliant in order to complete their compliance with the GDPR. If you can’t provide that confirmation you will likely lose their business
in our opinion any regulated professional not compliant with GDPR will be in breach of their obligation to maintain professional standards as well as breaking the law
you should be in contact with your PI insurers to clarify cover for GDPR breach risks. If you are not compliant it is difficult to see how these risks could be covered. If so any damages claimed by clients whose personal data you have put at risk may have to come out of your pocket
as an accountant, operating outside of the GDPR might be seen as potentially negligent; moreover, acting as a data processor without the relevant legal agreements could be viewed as grossly negligent and against the law
regardless of whether your client is requesting a GDPR controller processor agreement, surely you should be taking the lead as a professional and advising your clients accordingly?
As an accountant you are almost invariably a data processor, and your clients are data controllers - don’t hang them out to dry, do the right thing, become GDPR compliant, help them through the process, take the lead, and use it as a business opportunity.