With Making Tax Digital having been at the forefront of most accountants’ minds in 2017, and then the tax return season being upon us once again, many accountants have found little time to think about GDPR yet. However GDPR comes into force in May 2018, and as such time is fast running out to get your practice prepared.
I therefore thought it would be useful to put together some information on this topic, including 6 key steps I would recommend taking to prepare your practice for GDPR.
By way of background, the new EU general data protection regulation (GDPR) represents the most radical change in data protection legislation in the last 20 years. It has been developed to reflect the changing use of data in the digital world in which we now live, and is designed to enable citizens to benefit from modern digital services, whilst providing sound, well formulated and properly enforced data protection safeguards to help mitigate risks and inspire public confidence in how their information is handled by businesses, third parties, the state and public service providers.
The regulator (in the UK this is the Information Commissioners Office) has the power to levy substantial fines of up to €20 million or 4% of your annual turnover, whichever is the higher, to organisations that do not comply. In addition, if you experience a data breach, there is an obligation to notify the data protection authority, and in some cases the consumers affected, within 72 hours. This leaves the firm concerned highly exposed to brand damage and potential customer pay outs.
So what do accountancy firms need to be doing to prepare for GDPR?
Well this is a big question and one I will be exploring in more detail in coming blogs, but to give you a flavour, the type of things you should be considering include:
1. Identify what personal data you are holding. Bear in mind personal data can be as simple as an individual's name or email address. This is vital because you need to be able to demonstrate that you are protecting this data and using it appropriately. So understanding what you have and where it is forms the first step towards compliance.
2. Identify threats to this data. This could include things like cybercrime, accidental loss by employees, deliberate theft by employees, industrial espionage, lost devices and unauthorised access to data. This is vital if firms are to avoid the substantial fines that can be levied for unauthorised access to, or disclosure of, personal information.
3. Invest in and implement the right technologies and business processes to deal with insider and external threats to data. This will involve a wide raft of technologies to provide protection from a range of different threats, coupled with effective, documented business processes. This is very important if you are to avoid data breaches and the resulting fines and reputational damage that would be caused.
4. Put together a new or updated data protection policy and train employees on it. This is important as everyone in your organisation needs to understand their obligations under GDPR and how to make themselves fully compliant.
5. Put in place processes for ongoing education for all members of staff around cyber security and data protection. Because the cyber security landscape is constantly changing, it is very important that employees are constantly kept up-to-date with best practice around security and data protection.
6. Create a breach notification plan. This is important because if the worst should happen, and you do experience a data breach under GDPR, you need to have a clear plan to deal with it and communicate it as smoothly and accurately as possible, and with the least possible damage to your firm.
Over coming blogs, I will be exploring in more depth some of the key issues around GDPR compliance for accountancy firms. In the meantime, if you are concerned about your firm’s GDPR compliance position, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that we can help. We are currently working with accountancy practices on a wide range of GDPR readiness solutions, including providing GDPR cyber readiness audits, benchmarking firms’ current cyber security with an independent vulnerability scan, and implementing technologies and business processes to address vulnerabilities in cyber security defences, data backup strategy and disaster recovery provision.
If you would like to read other articles in our series of informational resources for Partners and Directors at Accountancy practices, please visit our blog at https://accountancyit.blogspot.co.uk/
_________________________________________________________________________________
Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size accountancy practices throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for accountancy practices please visit our website http://www.connexion.co.uk/accountancy
No comments:
Post a Comment