Sion Lewis, CEO of IRIS Accountancy Solutions
25th May 2018. With less than five months before GDPR compliance is law, it’s vital accountants take a strategic approach to GDPR as they would with any other regulatory changes.
Leaving each member of the team to digest the intricacies of the upcoming changes would risk employees interpreting elements of the regulation differently and may result in disruption in the organisation caused by misinterpretation.
This first in a series of articles examines the initial key step which must be taken on the GDPR journey; assigning a person in charge of auditing, risk assessment and enforcing compliance of Data Protection across your whole practice.
Name the GDPR lead
A GDPR lead must be named from the outset, and the appointed person should have a number of attributes in their arsenal. Accountants by definition have a strong understanding of the importance of compliance due to the client work they conduct day to day. However, that alone isn’t enough. The lead should be a senior employee seen as a trustworthy member of the team. If people are naturally inspired to follow this employee’s lead in their working life, doing so to ensure GDPR compliance will be a more comfortable process. Also, the better understanding the lead has of the sector, the practice and the world of business as a whole, the less issues the firm will face.
Seniority isn’t the only necessity however. It’s vital the data protection lead has a strong understanding of modern technology as data protection has come a long way since the days of ensuring sensitive documents are locked away safely. Now, something as seemingly innocuous as stray email or a vulnerability on an employee’s mobile phone could result in data breaches. The lead should therefore be capable of having high level discussions not only with the internal IT team, but also the wider team who use personal devices for work.
The first steps
The data protection lead will be responsible for driving GDPR compliance in every element of the business – from the accountants themselves to HR and admin staff. A firm is only as strong as its weakest link and with the sheer size of the fines in place, it’s not a risk accountants can take. The first step is for the lead to be expertly trained in all aspects of GDPR. They must have an in-depth understanding of the regulations, which can be gained through available resources on everything from what it means for daily processes to how to react if a data breach occurs.
The lead will then be responsible for educating the entire team and answer any questions they may have on changing the way they work to be compliant. It’s vital they are confident in this role, as showing signs of uncertainty could result in more confusion in the long run.
It’s important to note the lead can’t be expected to instantly make the entire firm compliant on their own. Instead, they must have the authority to make changes and support management in any decisions made. This will then lay the groundwork for compliance come May 25th.
Why the leader is so vital
One thing is for certain. GDPR is a complex beast which will take time for accountancy firms to understand and overcome. Failing to appoint someone to lead the charge is akin to sending soldiers into battle without a strategy – it will likely end in disaster.
For example, the accountancy firm has one of the most obvious generational divides in any sector. The ‘baby boomer’ accountants who are coming up to retirement are likely to be averse to a complete overhaul to their working processes. After all, what’s worked for them for the past 40 years will work for another 12 months before they retire, right? Wrong. The worst-case scenario here could be the accountant ignoring calls to begin securing all client data online and instead continues to keep it written down in a book. If this were to be lost and fall into the wrong hands, the resultant data breach could result in reputational damage and even fines.
Similarly, a millennial accountant may be more attuned to the latest technology and automate large amounts of their workload. However, in their haste to share vital documents with clients they may inadvertently send sensitive data to the wrong contact. If managed incorrectly, this type of negligent data breach could land the practice in hot water.
Without a leader to drive the importance of GDPR compliance, firms run the risk of having sections of the business assuming it doesn’t apply to them. The vast majority of compliance in the sector is accountant specific – such as MTD and FRS – this isn’t the case with GDPR. With the sheer amount of personal data used by marketing and sales teams, it’s just as important non-client facing elements of the business are clear on their data protection responsibilities as the accountants themselves. The data protection lead will be that comms link across the whole business, ensuring every employee is singing from the same hymn sheet.
GDPR is the single most significant change in personal data security in decades and with risks of reputational damage and hefty fines, non-compliance simply isn’t an option. For firms which are yet to act it is therefore more important than ever to assign a data protection lead without delay to avoid leaving it too late. However, that lead must be equipped with a full understanding of the intricate requirements of GDPR. Resources are available to support the transition and they must be made use of to avoid falling foul of GDP compliance – failing to do so is akin to accepting failure.