GDPRGuide for Accountants

and Bookkeepers

www sage com/Accountants

Introduction

Recent research undertaken by Sage1 shows that 57% of UK businesses lack awareness surrounding the General Data Protection Regulation (GDPR), while 60% don’t understand what the GDPR means for their business. With the GDPR enforcement just months away, the time is now to put a practical plan in place to prepare for compliance with the new regulation from 25 May 2018.

At Sage, we recognise that this level of uncertainty amongst Accountants, and their small-to-medium sized business client base, means many practices may be unprepared to deal with the impact of GDPR on their practice and their clients.

This guide provides clear information on the

and how it will impact the way you work with

surrounding the key considerations of the GDPR with practical and actionable guidance on how you can become GDPR ready, and prepared to provide trusted advice to your clients.

1. Sage GDPR Customer Survey, October 2017, UK, 100 respondents

ForewordMark Taylor, Technical Innovation Manager, IT Faculty ICAEW

Business practices, and the world of accountancy, have changed enormously since the Data Protection Act (DPA) came into UK law in 1998. Since then, the quantity of consumer data, and the

For example, social media, which now seems so prevalent across our personal and professional

changes, enhancements to legislation are needed to protect consumers’ rights. The General Data Protection Regulation (GDPR) is exactly that, and represents a necessary evolution of the DPA.

Accountants are the custodians of vital business and personal data, not only relating to their own practices, but also that of their clients. Which means our industry is at the forefront of needing to be GDPR-ready to comply with the new regulation from 25 May 2018.

With less than six months to go until the compliance deadline, there still seems to be confusion and uncertainty in the industry about the best ways to get ready, and to advise

is the time to address some key questions:

• What business and client data do you currently hold?

• How is this data stored and managed?• Within your practice, who is

responsible for this data?• How do clients have access to their data, and

is it being shared in the appropriate way?• If you are processing data on the basis

of consent (as opposed to any other lawful basis, such as contract) what evidence do you have of this?

Accountability is a key element of the GDPR. This characteristic already forms part of accountant and

core ethics. It means that we must be able to demonstrate compliance with the data protection principles in the GDPR. With helpful guidance and advice, the industry can be prepared for the

and their client management processes.

well-placed to support GDPR readiness by working

practice operations. At ICAEW, we are working with organisations like Sage to help share this knowledge, to support and aid Accountants in preparation for GDPR compliance.

This Sage guide provides practical advice and actionable steps to help you understand the key requirements of the GDPR and how to prepare your practice accordingly.

GDPR: The View from SageAdam Prince, VP Global Product Management

of products, and helping Accountants become GDPR ready is a key part of this. We’ve developed robust governance procedures to manage the implementation of the GDPR throughout our business to meet our obligations and ensure we’re prepared ahead of the EU enforcement from 25 May 2018.

We’re also sharing our knowledge and expertise with Accountants as part of an external programme that’s already underway. Our education packages; whether

they be webinars, Sage events, or in working in combination with you as part of a client training initiative, are designed to help you become GDPR-ready, and enable you to provide trusted advice to your clients.

Cameron John, Global Director of Accountant Partners

ways in which Accountants run their practices, and work with clients. Seen as a trusted source of advice and guidance, particularly for small-to-medium sized businesses, Accountants have an opportunity to take the lead with their clients to help them prepare for GDPR compliance.

Uncertainty relating to substantial legislative change also exposes gaps in knowledge and understanding,

Sage, we’re focused on working with Accountants to cut-through the confusion with practical guidance and actionable steps to enable you to be GDPR-ready.

We’re also here to help you realise your future potential

digital transformation. Moving your clients to cloud accounting

next big opportunity for your practice, in terms of realising

and also expanding your services to add greater value to your clients.

Through innovative tools - such as this guide, our series of Sage Sessions events, and practice materials - we’re sharing our expertise to equip you with the knowledge to best serve your clients. Working together, we can help turn GDPR from a challenge, into an opportunity.

What is the GDPR?The GDPR is the new legal framework for

the European Union on the 25 May 2018.

EU Member States, meaning the GDPR will take precedence over any national laws. There is no planned grace period.

The GDPR’s focus is the protection of personal data, i.e. data about individuals. In fact, GDPR is

how data relating to an individual should be handled – impacting not just companies but any individual, corporation, public authority, agency or other body that processes the personal data of individuals based in the EU. This includes suppliers a company might utilise to process personal data.

It has a surprisingly extensive scope, including all Member States of the European Union along with the UK post-Brexit in 2019, as the GDPR will also be incorporated into UK law. Unlike the EU Directive 95/46 on data protection, the

in the EU, or that monitor their behaviour within the EU. For example, website hosting companies in the US that host sites accessible

The GDPR has massive implications for every department of many businesses worldwide. Some might need to employ or assign a Data Protection

in place additional practices and safeguards.

highly recommended. And, with the prospect of

€20 million, whichever is greater - knowledge of the GDPR should be considered mandatory.

The GDPRin summaryThe key areas of the GDPR, with particular reference to the current EU Directive 95/46 (the Directive).

Right to move or transfer personal data (data portability)

Where personal data has been provided to a data controller by data subjects on the basis of contract or consent, those individuals now have the right to move, copy or transfer that personal data from one place to another, even to a competitor.

For example, a business may work with an incumbent accountancy practice,

then they can take any data held by

the incumbent with them. As such, personal data needs to be stored and managed in a structured, commonly-used and machine-readable format so it can easily be utilised and shared.

The requirement to make data truly portable and easy-to-use by

adjustments, and therefore costs.

Extensive scope

Put simply, the GDPR makes liable for breaches not just the business that collects the personal data, but also any third-party that processes the personal data on behalf of that business. However, this does not mean a business can simply hand the personal data to a third-party and then cast a blind eye. The business must ensure the third-party supplier is also compliant with the GDPR. This represents a potential threat to Accountants, who typically handle personal data relating to their clients (as a processor), as well as their own practice (as a controller).

Geographical scope is also extended beyond just the EU to any business, or any third-party processing personal data on its behalf. Because the EU is a trading partner of most countries, the GDPR’s wider scope means it has implications for many

require them to be compliant if they wish to operate in EU member states either directly or as a third-party for others.

Proof of compliance

It is not enough to merely comply with the GDPR. A business needs to prove it’s doing so under the GDPR’s requirement for “accountability”, and this means complying with potentially onerous record-keeping requirements. In particular, records should be maintained that detail processing activities*, subject access requests, breaches, how consents are obtained, and Privacy Impact Assessments.

those third-parties processing personal data on a business’ behalf, although the requirements are not as detailed.

* Applies to companies employing more than 250 people, or companies employing fewer people where the processing carried out is likely to result in a risk to the rights and freedoms of individuals, is not occasional, or includes Special Categories of Data, such as information on health, religion or sexual orientation.

Brexit

As part of the UK’s exit from the European Union in 2019, the GDPR will apply until that time. It was stated following the UK general election in 2017 that new data protection laws will:

“… implement the General Data Protection Regulation and the new Directive which applies to law enforcement data processing, meeting our obligations while we remain an EU member state and helping to put the UK in the best position to maintain our ability to share data with other EU member states and internationally

– Source: Queen’s Speech, June 2017

Therefore, it is possible, but cannot be assumed, that post-Brexit the UK will be considered a country deemed to

European Commission, so may not be

data protection transfer prohibitions.

GDPR: What it means for your practice

Being clear on personal data responsibilities

The GDPR sets out the minimum requirements for the treatment of all personal data. Personal data

to an individual in most ways (including things like physical appearance or even biometric data).

Most businesses collect personal data from the minute they interact with an individual, and in some cases, might not even be aware they’ve done so. For example, personal data collection might be as elementary as website tracking cookies that identify a user of your website. It runs all the way through to something as detailed as an individual’s record on a customer relationship management (CRM) database, and far beyond. The personal data might be collected

but this still falls under the remit of the GDPR.

to rethink how they collect, manage and handle personal data relating to both their practice, and their clients. Given the extent of the changes under the GDPR, it’s unlikely that

least some adjustments to its processes and procedures. For the majority of practices, these working methods are likely to require major

Client data processing

Under the GDPR there are six legal bases for the handling and processing of data:

1. Legitimate interests: This a subjective area and practices must balance their right as a business to use an individual’s data, against the individual’s right for their data to not be used. Firms must have a clear and compelling case for why a person’s data must be used and it would be good practice to document the reasoning behind your decision. This principle also applies when using data for marketing purposes.

2. Consent: Consent must be freely given, informed and unambiguous, and can be captured in several formats (e.g. online via tick-box), or by answering “yes” in a telephone call – a record of this consent must then be kept.

3. Contract: This relates to the necessary processing of personal data as part of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering a contract, and is unchanged from current data protection regulations.

4. Legal obligation: This is of particular

have a legal obligation to hold on to personal data, for example, as part of compliance with HMRC or fraud prevention

5. Vital interests: The processing of personal data is allowed by an organisation in order to protect the vital interests of the data subject. In essence, this

6. Public interest: Applicable in the event of personal data needing to be processed in the public interest, for example, relating to the performance of tasks carried out by a public authority. For accountancy practices, this may relate to the processing of employee or client salary details by HMRC to calculate tax coding.

Supplier data

While you’re thinking about how you treat the personal data of your clients and employees, let’s not forget your suppliers. It may well be that you are in receipt of personal data under this type of relationship and it requires the same level of

Further to this, if your suppliers are required to process personal data on your behalf, don’t forget that the GDPR requires certain mandatory provisions to be incorporated into

And where the situation is reversed, if you are acting as a Data Processor on behalf of another organisation, you can expect to be asked to enter into new processing terms too.

as data subjects. These include:

• The right to be informed, which encompasses the obligation on employers to provide transparency as to how personal data will be used.

• Data access, which encompasses subject access requests.

• or incomplete.

• (under certain circumstances).

• Requests to block or suppress the processing of personal data.

• Data portability, which allows employees to obtain and reuse their personal data for their

asking for their personal data to be transferred.

practices relates to recruitment. Prior to GDPR

hold on to copies of CVs once an advertised role

another position. Under the GDPR, this will not be possible unless explicit consent is sought and given, in which case the data must be stored and handled in compliance with GDPR regulations.

Compliance spending

any costs relating to new systems, processes and resources needed to be GDPR compliant. This may include a migration from manual, hard-copy

require not only investment in the system, but also

Accountants are valued and trusted advisors to clients. To deliver on these expectations there’s an incumbent need to share knowledge and advise clients appropriately on key legislation. So now is the time to analyse and understand the impact GDPR is likely to have on your practice and your clients.

GDPR: What it means for your clients

Working with your clients on a GDPR readiness plan not only provides practical, actionable steps to ensure they are compliant, but also helps you identify opportunities for added value services that further embed your practice in their business.

1. Where are your clients now in terms of GDPR readiness? This helps your clients to understand their business’ current maturity in relation to GDPR compliance, and consider what aspects of the

their business. This is not a tick box exercise but a pragmatic, focused process to really understand your clients’ exposure to GDPR privacy risks

2. This is crucial for understanding what sort of data your clients need to hold (and about who), how it will be processed in a GDPR compliant manner, and what investment needs to be made to deliver on this strategy. Consideration also

vendors – to ensure full compliance.

3. Knowing what success looks like GDPR compliance is all about developing a data protection solution that’s appropriate for an individual business. Taking a pragmatic approach and building a realistic plan will prepare clients for GDPR enforcement and can be broken-down into these key focus areas:

• Governance: Understand what personal data clients hold, and how they plan to manage it.

• Individual rights: Be up-to-speed on what individuals can request, and what they have rights over. Set up your processes accordingly to handle such requests.

• Breach reporting: Put in place robust incident management procedures to be compliant with the GDPR requirement for reporting data breaches to the regulator within 72 hours.

• Reliance on third parties: Data Controllers are required to understand how their supply chain handles data. The necessary contracts with appropriate clauses, retention periods and audit trails must be in place in time for GDPR enforcement.

• Training: Identify what level of training

to understand the requirements of the GDPR. “Higher risk” functions such as HR and Marketing may need more detailed training and support.

4. Make it business as usual GDPR compliance involves more than simply being ready for the enforcement deadline on 25 May 2018. Going forward, your clients will be required to demonstrate how personal data is collected, used, retained, disclosed, and destroyed in line with the GDPR requirements.

from current working processes and methods,

accountability principle, that demands:

• Businesses will need a clear, documented risk management framework

• Personal data must be kept up-to-date and accessible in response to data subject requests

• privacy, and audit these on a continuing basis

• processes and procedures

• Transparency with third parties relating to what they’re doing with your data.

Safe with SageThe Sage GDPR Commitment

Helping Accountants and bookkeepers to prepare for key compliance regulations has been a key commitment from Sage for over 30 years. And

experts are here to support you with practical, impartial and actionable guidance and advice to help you understand the impact of GDPR compliance on your practice and clients. We remain

skills you and your clients need to be GDPR ready.

We’re producing product statements that detail

GDPR-ready to help you prepare for compliance. In addition, our education programme is tailored to helping you and your clients overcome the challenge of GDPR preparation. This features a service menu of free and paid-for training

including practice-run sessions for your clients.

By embracing new working practices, you’ll

personal data management, and be well-placed to advise your clients on the key

Sage University - GDPR training options

you take the next step in your journey as you tackle complex compliance requirements.

you and your clients need to prepare for major legislation changes such as the GDPR. Our Learning Services Team, through our Sage University learning platform, provide education, enablement and training in one place.

For details on our Learning Services menu featuring all free and paid-for GDPR training options, please visit go.sage.com/adwebinars. Alternatively, contact your Sage Account Manager for full details of our GDPR webinars, in-practice and client training sessions, or call 0845 111 1111.

Sage Legal DisclaimerThe information contained in this guide is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice. We would like to stress that there is no substitute for customers making their own detailed investigations or seeking their own legal advice if they are unsure about the implications of the GDPR on their businesses.

promises as to completeness or accuracy and the information is delivered on an “as is” basis without any warranties, express or implied. Sage will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for

or decisions taken as a result of using this information.

practice and for your clients – for every stage of the journey. To learn more, call 0845 111 1111 or visit sage.com/Accountants