Share this post

In May 2018, a landmark policy applicable to all EU countries, and companies dealing with EU based customers and parties, will be put into action. Known as GDPR (General Data Protection Regulation), this law will provide a set of directives, which are set to change how data privacy and cyber-security function in modern businesses. This comprehensive legislation provides a set of security practices that could govern how personal information is stored and processed for years to come.

Keys to GDPR

The GDPR has been developed on several key principles mostly focused on personally identifiable information [PII].  Data security responsibilities for UK businesses and accounting firms can be summed up through the following points:

  • If a company wishes to use data provided by EU-based individuals for marketing and research purposes, then they must gain explicit authorization from these users in advance.

 

  • Furthermore, customers and clients must be offered the option to opt out of this data sharing agreement at any point. This is particularly important in cases where targeted third-party marketing is involved.

 

  • These options must be clearly communicated to existing and prospective customers, before any personal information can be exchanged.

 

  • If customers no longer wish to use the services of a particular company, or they simply object to the use of their data, they can request a complete erasure of all identifying details from company databases at any point.

 

  • Throughout the data sharing agreement, businesses must keep customers informed about the type of data being collected, and how this data is being used

 

  • In the event of a data breach, the processing party should notify data controllers immediately. After this notification is made, they must publically report the issue to customers within 72 hours.

 

  • It is important to remember that any security breach that occurs on the payment processor’s end will still be the responsibility of your company, any fines or other forms of regulatory censure will be applicable to the business provider as well.

Any UK-based firm that falls out of compliance with these regulations could face fines of up to 4% of their annual global revenues, with the lower limit of penalties set at a staggering €20 million. The severity of these penalties will be wholly dependent on the level of non-compliance, the compliance measures in place, the effectiveness of existing data security mechanisms, responsiveness to any data security breaches, clarity of public communications, and the adherence to customer/client privacy rules.

What Your Business Needs to Do

The GDPR at its most basic level is looking to incite firms into paying more attention to what data they have, who has access to their data and where their data is located. These are all important question your business should be asking when drafting a compliance plan for GDPR. With this in mind, every accounting firm must guarantee that all data relating to EU-based clients and business partners falls in accordance with these requirements.

Two highly effective security tools used by companies to mitigate the risk of data breaches are encryption and pseudonymization. If data is properly encrypted it will be useless to hackers and its loss will not necessitate the mass announcements that are otherwise triggered when security lapses affect GDPR-compliant companies. Similarly, by pseudonymizing data, companies can make it impossible to trace information back to the individuals it relates to. Not only does this give organizations the ability to recover more efficiently from data loss, it also offers them some leeway to conduct analytics and processing to identify the source and nature of related breaches.  

From the executive management level down, employees should be aware of the disastrous effects of insecure data management practices, and should consider how errors and misuse can lead to data security incidents. To guard against any attacks on company systems, a quick-response plan should be formulated immediately. This plan should provide a blueprint for the management and immediate resolution of any data security incidents.