Brian Sims
Editor
Brian Sims
Editor
THE INFORMATION Commissioner’s Office (ICO) is calling on UK accountants to recognise the crucial role they play in helping their SME clients have the right data protection practises in place from the day their business is established.
Research conducted by the UK regulator involving over 200 SMEs has shown that over one-third (34%) of them trust their accountants for advice, while one-fifth (20%) actively use their accountant to keep them up-to-date on data protection-related issues and the General Data Protection Regulation itself.Data protection law sets out what businesses should do in order to make sure they are looking after people’s personal information properly and fairly. In addition to the legal requirement, good data protection makes economic sense. It saves business owners time and money and shows companies’ customers that their information is being treated correctly.
The ICO has listed seven key questions for accountants to ask their SME clients about their data protection compliance. These are as follows:
How much does your client know about data protection compliance and the ICO? Establishing a client’s level of knowledge is a useful place to start. Have they heard of the legislation and, further, have they given any thought as to how they will apply it to their own business?
Are they aware of the work of the ICO? Encouraging them to register with the regulator as soon as possible will mean that they are fully aware of the ICO’s free resources in the early days of setting up their business.The ICO also writes to all new businesses that register with Companies House. Some business owners are not expecting a letter and think it’s part of a scam. Accountants can reassure their clients that the ICO is here to help and encourage them to check in with the regulator on a regular basis in order to access the free resources available on its website.
What types of personal information will they collect on a day-to-day basis? Accountants should ask their client to make a list of the personal information they already have – or are likely to be collecting – as part of their business operations as they will need to account for it all.
‘Why’ are they holding this personal information? If they’re holding or using people’s personal information, doing so must always be fair, as well as lawful. This means they should only use such data in ways they would reasonably expect. For example, if they haven’t been open about how they’ve acquired someone’s personal information then everything they do with it after this (whether they think it’s lawful or not) is unlikely to be fair in the real world.
What security measures do they have in place? Accountants should check that their clients’ security regimes line up with the sensitivity of the information they hold. Clients should put stronger measures in place if the data poses a higher risk or is otherwise sensitive in nature.
Do they have a privacy notice? It’s essential for companies to tell people why they’re holding information about them, what they’ll do with it and how long they will keep it before safely disposing of it. This detail should be recorded in a Privacy Notice which can be placed on a client’s website.
Do they know what a subject access request is? Customers and members of the general public have the legal right to ask an accountant’s client what personal information they hold about them. It’s possible to use the ICO’s step-by-step guide on how to deal with a subject access request.
Do they know what to do if their business has a personal data breach? A Data Breach Action Plan is essential. If they do have a personal data breach, they'll need to report it to the ICO, unless they're satisfied it’s unlikely to result in a risk to the individuals affected. On behalf of their clients, accountants should check out the ICO’s guide on how to respond to a personal data breach such that they can inform them about the steps that will need to be taken in an emergency scenario.
Professional network
Faye Spencer, head of business services at the ICO, commented: “SMEs have a lot to think about when running a business and it’s natural that they rely on their professional network for guidance as they look to grow their company. Accountants are a key part of this network. It’s clear from our engagement with SMEs that many of them are reliant on their accountant to ensure their business dealings are compliant with data protection laws.”
Spencer continued: “We’re encouraging accountants across the UK to recognise the role they play and the value that they can add when it comes to offering peace of mind to clients running their own businesses. The ICO has lots of free resources available in relation to this matter, and we are here to empower all parties to unlock the value of the personal information that they hold. When processed and used responsibly, personal data can assist a business to grow. Good data protection practices project positively on a company’s reputation.”
The ICO’s advice for accountants comes as the regulator completes a pilot programme encompassing up to 60 SMEs from across the UK and in which there has been a trial of a new self-assessment and development programme. Named ‘SME Data Essentials’, it’s aimed at empowering organisations to become better equipped for managing their own data compliance.The pilot forms part of ICO25, the ICO’s new three-year strategic plan detailing how the organisation will bring down the cost of compliance, while in parallel enabling and supporting SMEs to invest, innovate and grow.
