Sion Lewis, CEO of IRIS Accountancy Solutions

Last year the UK Government announced the Data Protection Act 1998 will be replaced by General Data Protection Regulation (GDPR) from May 2018. The previous act was drafted before the internet and cloud computing had transformed the way personal data is traded and potentially exploited by businesses. GDPR aims to not only resolve these issues and therefore vastly improve security levels, but also enforce strict fines to ensure compliance.

With less than six months until mandatory compliance, it’s vital accountants and their clients prepare for the upcoming legislation regardless of how far along their digital journeys they are. Failing to do so will incur fines which could cripple even the largest of firms – €20 million or four per cent of annual turnover, whichever is higher.

Amidst the GDPR melee, what needs to be done and by when? 

Step one: Assign a data protection lead

GDPR is an all-encompassing regulatory change, so every member of the firm must understand how this impacts not only their own processes, but also their clients. Practices shouldn’t simply roll out the changes and expect every member of the team to instantly understand – there needs to be a clear strategy in place which fosters change. This is why the first step for every accountancy firm must be to assign a data protection lead if they haven’t already.

Rather than expecting every employee to digest and understand the intricacies of GDPR, the lead should be expertly trained to fully understand the regulations. They should be responsible for educating the rest of the firm, as no practice can afford news on this type of widespread change to come down the grapevine.

Although the data protection lead can’t be expected to wave a magic wand to make the practice compliant on their own, they must have the authority to make changes and support managers when implementing changes. This will set the groundwork for GDPR compliance in advance of May 2018. 

Step two: Train staff to raise awareness

Although the data protection lead will own GDPR within the practice, data security is the responsibility of everyone – from accountants themselves to HR, operations and sales. A practice is only as strong as its weakest link, so it’s vital every employee is confident in their role and understands what the regulations mean for their daily processes and interactions with customers.

With the sheer volume of detail within the upcoming legislation, this isn’t something professionals can comply with by making a few small changes. A full training programme should be introduced covering the principles of data protection, the concepts of individuals’ rights and how the practice is protecting client data.

Training should also include discussions of exactly what happens if a data breach occurs and the importance of notifying the relevant parties of the breach within 72 hours. After all, even the most secure practice can fall foul to data breaches, whether caused by emails accidentally being sent to the wrong client or full-blown cyber attacks. This is why it’s key accountants are prepared for the worst-case scenario in the digital age.

Step three: Audit existing processes

The open discussions which take place during GDPR training sessions will highlight areas of concern from the wider workforce. Will this change the way they interact with clients? Does data need to be filed and stored differently? Do they need to move away from paper-based processes and become more digitally minded?

These and many more questions besides must be answered before a firm can be fully compliant but just paying them lip service isn’t enough. Practices must carry out a full audit of existing processes and evaluate the weak links with that worst-case scenario in mind. Everything from the strength of passwords to how data is shared between colleagues and with clients must be scrutinised.

Once the potentially unsecure processes have been highlighted this can be used to overhaul the way the entire accountancy firm works if necessary. This may sound extreme but for some of the more traditional firms still using outdated processes there won’t be a choice. It’s certainly more cost-effective than trying to transform the practice after receiving a €20 million fine. 

Step four: Create an action plan

Once a data protection lead has taken the reigns, trained the entire workforce and conducted an in-depth audit of working processes, there is one step left to reach the nirvana of GDPR compliance – creating an action plan. With the weak links identified, a plan must be put in place which resolves these shortcomings to ensure the firm is running a tight ship come May 2018.

Any policy changes must be clearly defined, documented and shared with the entire workforce and become the new business as usual. This isn’t a case of the new processes being an ideal which will be met most of the time – if just one member of the team slips back into old habits it could result in hefty fines and potential business failure. Once fully compliant, the firm will then be in a strong position to offer consultancy to the client-base on changes in services and communication. This is equally important, as working with a non-compliant client can be just as harmful as a firm being non-compliant itself.

GDPR is one of the biggest changes in legislation to hit businesses in decades and can’t be taken lightly. With less than six months until compliance is mandatory, time is running out for accountants to ensure their business and the client-base are secure. No company, regardless of their size or sector, can afford the severe fines in place, so acting now is the only option if you don’t want a failing business on your hands.