If your firm processes customer-related information for individuals located in the European Union (EU), then you’re not alone in thinking the General Data Protection Regulation (GDPR) that becomes effective on May 25, 2018, will impact your practice.
How it impacts an accounting firm (and your clients), as well as how you should prepare for GDPR compliance, is what everyone is rushing to understand before the new law takes effect. In fact, two-thirds of US companies believe the regulation requires them to rethink their strategy in Europe, and 85 percent expect it to put them at a competitive disadvantage with European companies.
The widespread uncertainty has caused sleepless nights, but what does the GDPR really require? Moreover, how can you gain peace of mind by understanding how it impacts your accounting firm?
Read on for a quick refresher on the origins of the GDPR and a useful checklist to help prepare you for this important new regulation:
What is the GDPR?
The GDPR was created in 2016 by the European Parliament, Council of the EU, and the European Commission to strengthen and unify data protection for customers and individuals in the EU. No matter where a company is located, if it handles the personal information of anyone located in the EU, then it must abide by these regulations and respect the digital rights of EU citizens protected by the regulation.
What Kind of Data Does the GDPR Regulate?
The GDPR regulates any EU consumer data collected by a data controller (a person who alone, jointly or in common determines the manner in which personal data is processed) or processor (someone who acts on behalf of the controller, like a payroll provider), including but not limited to a name, photo, home or email address, bank details, social media posts, medical information or even IP address.
For accounting firms, this includes any data collected for the purposes of accounting, taxes, payroll processing and many other forms of personal information that might be used during an accounting process. This can also broadly affect a practice hired by a client, because an accountant “determines what information to obtain and process in order to do the work” while firms act as “controllers in common” with clients.
GDPR Preparation Checklist
The EU has provided a two-year transition period for firms and businesses to learn about the regulation and adapt to the new standards. Now, with the implementation deadline rapidly approaching, it’s time to ensure you have your security protocols in place to protect both your clients and your business.
GDPR readiness may be tested by reviewing this basic seven-point checklist:
Give a presentation on GDPR to senior management to help them understand the fines, negative publicity and class-action lawsuits that can come with non-compliance.
Review your client consent policies to ensure everyone on your lists has opted in and given their permission for you to collect and store their data.
Confirm that your default privacy settings are set to the strictest possible standards.
Map out your company’s existing data, including type, location and processes for access, storage, backup and control, including access by outsourcers and cloud providers; ensure that newly collected data is collected with consent and will be routed into this existing process.
Confirm that you have technology that can detect and investigate data breaches so you aren’t informed of a data loss from a data protection authority or directly from your clients.
Prepare a communication plan in the event of a data breach that answers questions for customers and the press; identify a company spokesperson and include a response protocol to field requests outside of regular office hours.
Create a process for providing client data in a machine-readable form that takes into account rapid response to requests, collection of data from all sources and delivery within a reasonable timeframe; ensure this process also factors in data deletion requests.
Perhaps more than most new regulations, the GDPR is seen as introducing stressful complications into your accounting firm’s business processes. You can mitigate that stress with a careful approach to how you collect, store and protect your clients’ data – wherever they live – to be well on your way to complying with the intention of the GDPR.
The final step to meaningful preparation for GDPR compliance is to work with a technology partner who can apply their data security expertise to confirm the necessary technical details and build an information management system for your firm and your clients with data privacy in mind.
Tomas Suros is a lawyer and technology advocate working at the intersection of law, IT, and client consulting. With AbacusNext since 2004, he currently serves as Chief Solutions Architect, guiding firms through the process of identifying forward facing technology options and ensuring the successful implementation of a tailored solution.