GDPR fines risk for accountancy firms
Accountancy firms who ignore the General Data Protection Regulation (GDPR) do so at their peril.
Not only will they risk huge fines but crucially, their reputations could be irrevocably damaged.
The EU’s supervisory authorities have already issued, or announced their intention to issue, fines totalling more than €372M.
According to the European Data Protection Board (EDPB), the body that reviews and provides guidance about how the GDPR should be applied across the European Union, there were 281,088 cases logged by supervisory authorities in the first year of the GDPR’s implementation.
Of these, 144,376 were complaints and 89,271 related to data breach notifications by data controllers.
iCaaS GDPR Management know of companies that have been issued with enforcements from the Information Commissioner’s Office (ICO), the UK’s data protection authority.
And we know that accountancy firms have already fallen foul of the strict and complex regulations.
One accountancy firm from the North of England was issued with an enforcement after failing to respond to a Subject Access Request (SAR) on time.
CEO Nicola Hartland said: “It’s evident that the ICO has found its teeth and that more enforcements, which can eventually lead to fines, will be issued.
“Accountancy practices, hold so much personal data that they are particularly susceptible to data breaches and due to the volume of interaction with personal data, would be more likely to be issued with SAR’s from clients.
“It is therefore essential that accountancy practices know how to deal with personal data. Compliance with the GDPR is vital. They must ensure they have robust procedures in place and are certain they are 100% compliant.”
Since the GDPR came into force, financial consultancy firm Mazers carried out some research into the fines issued so far.
They found there have been 68 fines across 20 European countries, with the Czech Republic, Germany and Hungary issuing the most fines.
Sweden, Belgium, Greece, Italy, Lithuania, Malta, Portugal and Netherlands Netherlands, have issued one fine each.
The greatest number of fines by sector so far has been by the financial services with 11 fines.
The professional services sector was second with seven fines, followed by the public sector with five. Healthcare, hospitality, technology and telecommunications received four fines each.
Most of the fines issued were for breaches related to the processing of personal data, with 41 penalties.
A whopping 23 fines were issued for the lawfulness of processing data, and three for the rules covering the notification of a breach to supervisory authorities.
The communication of a personal data breach to the subject was also the cause of another fine being issued.
An average fine of €21million was issued to fifteen companies under the rules covering the security of data processing.
Four fines were even issued to private citizens, which shows that it is not only businesses that are being fines.
Implications for accountants
Accountants handle a vast amount of data – both client and employee – daily. Firms will need to ensure that their systems are robust enough to meet GDPR requirements and that the data is protected in line with GDPR provisions.
To determine whether operations comply with GDPR, firms may need to carry out an audit on current procedures in order to identify if and where they fall short of GDPR standards.
By failing to comply, accountants leave themselves open to significant penalties.
Organisations in breach of the GDPR regulation could be fined a maximum of up to 4% of annual global turnover or €20 million – whichever is greater, for organisations that infringe its requirements.
As accountants position themselves as strategic advisers to clients, GDPR is an opportunity for firms to demonstrate to clients that they can securely hold and process information in line with data requirements, and that protection of client data is a priority for the practice.
As a result, clients are likely to see their accountants as trusted professionals to whom they can entrust business and personal data, and with whom they can partner to drive their business forward.
Billed as the most important change in data privacy in recent years, GDPR came into effect on 25 May 2018.
Approved by the EU parliament in April 2016, GDPR is an EU regulation which aims to harmonise data privacy laws across Europe, strengthening the protection of data.
GDPR applies to all companies in the EU and the EEA (The European Economic Area) that process and hold personal data. Furthermore, it no longer matters if the processing of data takes place outside of the EU – controllers or processors outside of the EU are still subject to the regulation if they offer goods or services to EU data subjects or collect data on EU individuals.
All personal data is subject to GDPR. Personal data includes any information from which a person can be identified, either directly or indirectly. This includes a name, email address, bank details, photo, medical information or computer IP address.
In addition, sensitive personal data concerns “special categories” of data, including genetic and biometric data used to identify an individual and requires greater protection measures.
It’s very clear that smaller firms and SMEs, including accountants, face the risk of cyber-attacks because they are a “gateway” to information and likely to have fewer security measures in place.
It’s important therefore, that accountants review their current protection, and think about the sensitivity of the information they hold, and how to keep it safe.