VP Product Management, Compliance Sage
Share this content
woman with a tablet and floating code and locks

5 Steps Accounting Firms Need to Take Before GDPR Hits

Mar 23rd 2018
VP Product Management, Compliance Sage
Share this content

With the General Data Protection Regulation (GDPR) set to go into effect in late May, any firm or their clients that offer goods or services to individuals in the EU must be able to prove their processes for collecting, using, storing and sharing any personal data are fully compliant.

More importantly, this applies to U.S.-based accounting firms that work directly with EU clients need to comply with GDPR or face penalties.

Alarmingly, a recent survey by Sage, found 84 percent of U.S. companies don’t understand what GDPR’s rollout means for their business specifically, and 91 percent lack a general understanding of the regulation details. In addition, 74 percent of U.S. businesses surveyed are not confident that, or don’t know whether their companies will be ready for GDPR requirements before the EU’s deadline.

The survey results are concerning to say the least given that businesses can face fines up to 20 million euros (approximately $24 million) or four percent of annual global turnover (whichever amount ends up being higher).

How to Prepare for GDPR

Accountants oversee incredible amounts of important business and personal data — relating to their own practices and the finances of their clients. With the May 25 deadline fast-approaching, here’s five actions accounting firms need to take in order to prepare for the EU’s sweeping regulations:

1. Outline the difference between Data Controllers and Data Processors

The GDPR defines two clear roles concerning the handling of data: data processors and data controllers. Consequently, accountants must consider what this means for the roles within their firms — who qualifies as a data processor and who qualifies as a data controller.

A data controller is the organization that determines the purpose and means of collecting personal data. Depending on their remit, an accountant may be processing personal data on behalf of another organization, only acting on the instructions of the data controller, and so is acting in the capacity of a ‘data processer’. However if the Accountant also acts on their own cognizance, for example due to a legal obligation to report malfeasance, then the Accountant may also be a data controller.

To be 100 percent GDPR compliant, each of these accounting roles requires clear thought and definition regarding the management, storage and use of personal data.

2. Perform an internal firm-wide data audit

 It is necessary that a firm reviews how it collects, processes and hosts personal data both electronically and in printed formats. A great initial step for accounting leaders is to conduct a firm-wide data audit. The audit should identify and assess the methods that the firm is using to collect and process both employees’ and clients’ personal data.

Following the audit, firm leadership should consider how outdated and unnecessary data will be eliminated from the firm’s databases, files and any archive facilities, and how to ensure the security and safety of the information that is being stored. From there, they should establish a system of collecting and reporting 'accountability' records moving forward, in order to prove — in an efficient and timely manner — that the firm is GDPR compliant.

3. Vet third-party software or solutions

On top of making sure all internal data collection and processing methods are in check, firms should also review any third-party software they are using. Rather than assuming outside systems will meet your GDPR requirements, ask providers exactly how their systems will support the impending legislation.

Considerations should include where data is stored, especially if the vendor provides a cloud based service, technical specifications of third party software platforms, security infrastructure, backup and recovery procedures. There is a chance that some providers will not be prepared for the GDPR, so accounting firms should build in time in the event they need to invest in new, more compliant systems.

4. Communicate GDPR plans with clients

Accountants should also take it upon themselves to help clients prepare for the GDPR in order to ensure that their clients’ businesses are stable and legislatively sound for the long run (and not just in time for the deadline).

One of the most effective ways to do this is by working on a compliance readiness plan together. This way, the process leading up to the May 25 deadline can be packaged into manageable steps.

Firms should focus on key questions to uncover how much a client understands about the GDPR and how ready their business is right now to embrace the changes:

  1. How complete is their personal data inventory?
  2. How do they currently store data?

A clearly outlined plan and communicated strategy can help narrow in on what firm investment and client changes need to be made.

5. Educate your coworkers about the legislation and the importance of personal data

Maintaining GDPR compliance is a firm-wide lifelong task, and each employee should be thoroughly educated about the importance of personal data and the regulations that are in place to protect that information. Firms should establish a GDPR training program for employees to teach them about data protection law and the value of personal information.

This training should touch on key areas like the governance and management of personal data at the firm, understanding individuals’ rights when it comes to their data, breach reporting and implementing incident management procedures and how third-party solutions the firm is using must also be compliant.


Accounting firms need to have a sound knowledge of the GDPR and how it affects core operations. Ultimately, GDPR provides an opportunity for accountants to offer the best-suited compliance support to their firm and clients and to ensure the integrity of personal data.

Replies (0)

Please login or register to join the discussion.

There are currently no replies, be the first to post a reply.