Twitter is full of it.
LinkedIn is full of it.
Newsletters and marketing emails are full of it.
It seems that you can’t move at the moment for someone trying to flog you a GDPR seminar or consultancy review. If you don’t know that as from May 2018 the law regarding the protection of personal data changes then you must have been on the moon for the last year.
So what does GDPR actually mean for the Sole Practitioner Accountant?
Is it really that complicated?
What needs to be done?
Wouldn’t it be easy if there was just one checklist for GDPR for the Sole Practitioner Accountant?
So here’s my whistle stop take on what a Sole Practitioner needs to do so that they do not fall foul of the new GDPR laws.
A general point to note is that I’ve devised what I would consider to be a proportionate solution for Sole Practitioners serving clients with very straight forward accounting needs. It’s a pragmatic approach.
This may, of course, not suit your situation or you may not agree with my approach. If you feel I have missed anything in my plan then please do provide constructive feedback, advice and information by way of a comment below. Thanks – much appreciated.
Personal Data Only
Let’s start with a reminder that the legislation relates to personal data only. So Limited Company Accounts and Corporation Tax Returns are out of scope.
Update your Letter of Engagement
The new legislation provides a good check point to review and update your Letters of Engagement (LoE) and Terms of Business (ToB) which is something that you should do on a regular basis.
As an aside, some general tips on LoEs and ToBs:
- Do one combined LoE and ToB document to make it easier when on-boarding clients
- Keep the contents of the documents generic referring to a separate scope of services document which can be reviewed and amended each year as services and fees change
- Have a front sheet for client specific contact information as well as a signature of acceptance. Consider using an electronic signature solution for sign off
- Use example of the documents from your professional body’s web site but make sure that they are modified to fit your specific circumstances
- Do remember to issue a disengagement letter if and when services cease
The LoE will need to be revised to include the following to cater for the new GDPR legislation:
- A Privacy Statement detailing what data you hold, why you hold it, how long you hold it for, how you process the data and who (if anyone) you would share data with. Remember to include reference to the fact that you are holding your client’s data because they have appointed you to carry out work to meet their statutory obligations of filing accounts and tax returns.
- A statement on Data Retention, Archive and Deletion. As accountants we do like to keep things but the new legislation makes us think twice about how long we hold things for. If the client is on-going you may wish to keep all files for the statutory length of time. If so then document this in your data retention policy.
If a client leaves, whilst allowing for a period of time for a response to a professional clearance letter, you should delete client data once disengagement has taken place. You may wish to be specific in your policy about how long you will keep the data for following disengagement. It may be prudent to zip up data and send it to the client or send them a hard copy of data which they can then provide to their new accountant and / or keep in case of investigation of enquiry.
Whatever you decide then document it in the LoE and bring it to the client’s attention on disengagement.
This may be a good opportunity to have a good clear out of old client data, emails and files. Remember to use a confidential waste disposal service for old client files.
Cloud Accounting and other systems
If you are using a Cloud Accounting system for client or any other software you must tell you client about this. You should get a policy statement from your system supplier which should explain what data is held, where the server is located, what measures are taken to secure the data, how long the data is held for as well as how it is backed up, archived and deleted. Again this is something to have a paragraph about in your LoE.
If the client uses a system and invites you to access the data as their client then the data is their responsibility.
Do you outsource?
If you outsource any client work outside of the EU or pass data outside of the EU you must tell your clients. Be specific on this in your LoE explaining what you are doing with their data, why you are doing it and what is in place to protect your client data.
Marketing Emails and Lists
If you are holding a marketing list to be able to send out regular newsletters, surveys, feedback requests or the like then you will have to ask each and every contact for their express permission to be part of this list and to receive emails. As mentioned before, the new GDPR legislation applies to personal data only. It could be argued that if an email address is related to a company then this is not covered by the new rules.
However I would suggest that you apply a prudent approach here; ask your whole marketing list. If someone doesn’t want to receive the communication then the likelihood is that they are deleting it anyway without even reading it. So this is a good opportunity to test the water to see who actually opts into receiving marketing communication. If no one wants to receive the communication then don’t waste your time producing it; find a better and more relevant way to market to current and potential clients.
General on Emailing
The new legislation lends itself to having a think about how you communicate with clients. Over the years you may have got sloppy with client communication sending around group emails rather than a specific email to each and every client.
Now’s the time to tidy up your email approach. Ditch the Michael McIntyre “send to all “approach. Always send the email to one specific client at a time. It may take longer but it will certainly avoid any issues with data and it will look much more professional to show a personal client touch point approach.
Finally just a note on encryption. The new legislation does not mandate encryption. Once again proportionality should be considered with encryption. Think about the data exchange between you and your client. Is email any less secure than sending documents in the post? Apply a common sense approach to what documentation you are sharing and how you are sharing it bearing in mind any issues that you may have experienced with documentation and information exchange in the past. Decide on an appropriate strategy for your Accountancy Practice based upon a risk assessment of the tools you use and your client base; document the strategy for future reference purposes.