IT in Accountancy: January 2018

Wednesday, 10 January 2018

GDPR Compliance for Accountancy Practices: Just Where is your Confidential Data?

This may sound like an odd question, as I’m sure many of you will be certain you know just where all your confidential and personal data is held. But do you really? And does it matter?

Accountants hold much personal data, such as tax information and payroll data, which identifies individuals by name or reference number, and as such falls under the scope of the GDPR. In my previous article I talked about 6 key steps to take in preparing your practice for GDPR, the first of which was about understanding your data. This is a fundamental pre-requisite as until you understand what data you hold, and where it is stored, it is nigh on impossible to protect it adequately, as the GDPR demands.

And, the reality is, that in the globalised world in which we now operate, with increasing demands for remote working, there is a real danger that your precious business data may be scattered across the world. Yes, some of it will certainly be residing (hopefully securely) on your in-house servers. But what about the proliferation of company and employee owned portable devices such as laptops, tablets and smartphones which now hold company data and/or emails?

And then there’s data that has been shared with business partners and other third-party organisations. And data that has, for whatever reason, found its way onto file sharing services like Dropbox or USB sticks.

Then there is the cloud. The cloud has revolutionised the way many businesses store their data, but in doing so has also globalised the way data is stored, with many providers distributing data across servers worldwide in order to optimise costs. The cloud takes many forms, from well-known public cloud offerings, through to private cloud environments and individual cloud-based software applications. Understanding which of these your firm is using and where your data is actually being stored as a consequence is paramount, if you are to meet your obligations under GDPR, which include ensuring that you do not store data in or transfer data to countries outside the European Economic Area that do not have equivalently strong data protection standards.

There’s also copies of data taken for backup purposes to consider. And do bear in mind this is not just your scheduled backups of your in-house servers, but can be backups that you may not even be aware of, such as automatic cloud backup software which may be installed on employee owned devices, which could be copying confidential company data to an unknown provider’s cloud storage, in an unknown location, unbeknown to anyone.

In general terms, the more widespread and less controlled your data is, the more vulnerable you leave your accountancy practice to a security breach. So understanding what data you hold, where it is stored and who has access to it, is absolutely critical. This in turn needs to be documented, both so that the Partners/Directors have understanding of, and control over, their data and to provide documentation for compliance and audit purposes. This not only puts firms back in control of their valuable data, but minimises the risk of a security breach and takes the first step towards preparing for GDPR compliance.

Over coming blogs, I will be exploring in more depth some of the key issues around GDPR compliance for accountancy practices. In the meantime, if you are concerned about your firm’s GDPR compliance position, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss how Connexion can help. We are currently working with accountancy practices on a wide range of GDPR readiness solutions, including carrying out GDPR cyber readiness audits, benchmarking current cyber security with an independent vulnerability scan, and implementing technologies and business processes to address vulnerabilities in cyber security defences, data backup strategy and disaster recovery provision.

If you would like to read other articles in our series of informational resources for Partners and Directors at Accountancy practices, please visit our blog at https://accountancyit.blogspot.co.uk/

________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size accountancy practices throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for accountancy practices please visit our website http://www.connexion.co.uk/accountancy

Thursday, 4 January 2018

Preparing your Accountancy Practice for GDPR – 6 Key Steps to Take

With Making Tax Digital having been at the forefront of most accountants’ minds in 2017, and then the tax return season being upon us once again, many accountants have found little time to think about GDPR yet. However GDPR comes into force in May 2018, and as such time is fast running out to get your practice prepared.

I therefore thought it would be useful to put together some information on this topic, including 6 key steps I would recommend taking to prepare your practice for GDPR.

By way of background, the new EU general data protection regulation (GDPR) represents the most radical change in data protection legislation in the last 20 years. It has been developed to reflect the changing use of data in the digital world in which we now live, and is designed to enable citizens to benefit from modern digital services, whilst providing sound, well formulated and properly enforced data protection safeguards to help mitigate risks and inspire public confidence in how their information is handled by businesses, third parties, the state and public service providers.

The regulator (in the UK this is the Information Commissioners Office) has the power to levy substantial fines of up to €20 million or 4% of your annual turnover, whichever is the higher, to organisations that do not comply. In addition, if you experience a data breach, there is an obligation to notify the data protection authority, and in some cases the consumers affected, within 72 hours. This leaves the firm concerned highly exposed to brand damage and potential customer pay outs.

So what do accountancy firms need to be doing to prepare for GDPR?

Well this is a big question and one I will be exploring in more detail in coming blogs, but to give you a flavour, the type of things you should be considering include:

1. Identify what personal data you are holding. Bear in mind personal data can be as simple as an individual's name or email address. This is vital because you need to be able to demonstrate that you are protecting this data and using it appropriately. So understanding what you have and where it is forms the first step towards compliance.

2. Identify threats to this data. This could include things like cybercrime, accidental loss by employees, deliberate theft by employees, industrial espionage, lost devices and unauthorised access to data. This is vital if firms are to avoid the substantial fines that can be levied for unauthorised access to, or disclosure of, personal information.

3. Invest in and implement the right technologies and business processes to deal with insider and external threats to data. This will involve a wide raft of technologies to provide protection from a range of different threats, coupled with effective, documented business processes. This is very important if you are to avoid data breaches and the resulting fines and reputational damage that would be caused.

4. Put together a new or updated data protection policy and train employees on it. This is important as everyone in your organisation needs to understand their obligations under GDPR and how to make themselves fully compliant.

5. Put in place processes for ongoing education for all members of staff around cyber security and data protection. Because the cyber security landscape is constantly changing, it is very important that employees are constantly kept up-to-date with best practice around security and data protection.

6. Create a breach notification plan. This is important because if the worst should happen, and you do experience a data breach under GDPR, you need to have a clear plan to deal with it and communicate it as smoothly and accurately as possible, and with the least possible damage to your firm.

Over coming blogs, I will be exploring in more depth some of the key issues around GDPR compliance for accountancy firms. In the meantime, if you are concerned about your firm’s GDPR compliance position, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that we can help. We are currently working with accountancy practices on a wide range of GDPR readiness solutions, including providing GDPR cyber readiness audits, benchmarking firms’ current cyber security with an independent vulnerability scan, and implementing technologies and business processes to address vulnerabilities in cyber security defences, data backup strategy and disaster recovery provision.

If you would like to read other articles in our series of informational resources for Partners and Directors at Accountancy practices, please visit our blog at https://accountancyit.blogspot.co.uk/

_________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size accountancy practices throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for accountancy practices please visit our website http://www.connexion.co.uk/accountancy

About Me

Welcome to my blog, IT in Accountancy.

I'm James Stratton, the Managing Director of Connexion Ltd, an IT support and IT services company based in Reading, Berkshire and serving the whole of the UK.

Connexion has a particular specialism in working with regulated industries and as a result over the years I’ve worked with many accountancy practices, helping them to transform their IT so that it delivers real business value.

With most accountants I work with sharing key concerns around time and efficiency, GDPR compliance and cyber security issues such as data leakage and ransomware attacks, I wanted to create this blog where I could share best practice, discuss common challenges and highlight the strategies required to successfully leverage technology to both address these concerns but also to really add value to the practice. I hope you find it informative and thought provoking.

If you would like to discuss any element of IT in accountancy with me, or you need some assistance with your IT strategy, IT compliance or your IT support, then please do not hesitate to contact me.

I look forward to hearing from you.

James Stratton
Connexion Ltd
t: 0118 920 9600
e: jstratton@connexion.co.uk
w: http://www.connexion.co.uk/accountancy/