How your accountant can help keep your data safe

First published on 02 March 2023 by Alastair
  • Categories:
  • Accounts News
  • Accountancy
  • News

Remember all the fuss when GDPR was introduced?  In fact, can you even remember the date when it passed into law in the UK? It was 25th May 2018 if you’re wondering.  And hands up if, after an initial frisson of running about to make sure you ticked a few boxes, you’ve now done nothing else…

Even though the short-lived Truss administration tried to make changes to data protection (DP) law, the current government has enough on its plate at present to make it very unlikely that any changes will be coming our way soon, even though that is now perfectly possible in our post-Brexit environment.  Whether you like it or not, you are still bound to fulfil the requirements of GDPR.

However, just because we’ve all relaxed a bit, that doesn’t mean that you should stint on ensuring that your use of data is within the law.  This particularly applies if you are thinking of selling your company: any due diligence will almost certainly pick up any flaws and could, potentially, put off a buyer.

The problem is that while most businesses do not have any problems with GDPR, that’s often because the problems haven’t cropped up yet.  This is one of the reasons why the Information Commissioner’s Office (ICO – the government body responsible for GDPR) is encouraging UK accountants to help their SME clients to ensure they comply with the regulations. While the ICO is more concerned with the big companies and their potential DP law-breaking (we have heard the Regional Head of the ICO actually state this at a conference) that doesn’t mean that SMEs are exempt.

And as you’ll know if you run a small/medium business, there is an awful lot of regulation that you have to keep on top of, all while you are trying to drum up business and keep customers happy.  The ICO has carried out research that shows that over a third of SMEs trust their accountants for advice and over a fifth rely on their accountants to keep them up to date with DP law.

The principal reason for doing this (other than it’s just good practice), is that the ICO can fine any company for a breach of the law up to £8.7m or 2% of the total annual worldwide turnover in the preceding financial year, whichever is highest. For the largest data breaches, the fine can be to up to 4% of annual turnover.

To help our clients (and anyone else affected by GDPR – which is all of us), here are seven key questions you should ask yourself about your data, especially if you are just starting out with a new venture.

  • How much do you know about data protection compliance and the ICO? What is your level of knowledge? Have you given any thought how you will apply it to your business?
  • Are you aware of the work of the ICO? Have you registered with them so you can take advantage of their free resources?
  • The ICO writes to all new businesses that register with Companies House. Some business owners are not expecting a letter and think it is a scam. Please check with your accountant (preferably us, though others are available!).
  • What types of personal information do you collect on a day-to-day basis? Make a list of the personal information you already have or are likely to be collecting as part of your business operations – you will need to account for it all.
  • Ask why you are holding this personal information? If you are holding or using people’s personal information, it must always be fair, as well as lawful. This means you should only use personal data reasonably. For example, if you are not open about how you got someone’s personal information (say you are a recruitment consultancy and you have scraped CVs from the internet or you are a customer service/sales organisation that has purchased leads online), then everything you subsequently do with it after this (whether you think it is lawful or not) is unlikely to be fair.
  • What security measures do you have in place? Check that your security is appropriate for the sensitivity of the information you hold. Put stronger measures in place if the data pose a higher risk or are sensitive.
  • Do you have a privacy notice? It is essential to tell people why you hold information about them; what you'll do with it; and how long you will keep it before safely disposing of it. This should be recorded in a privacy notice – the ICO has a handy template for SMEs to use. This can go on your website or if you do not have one, in paper form.
  • Do you know what a subject access request (SAR) is? Customers and the general public have the legal right to ask what personal information you hold about them. Use the ICO’s step-by-step guide on how to deal with a subject access request.
  • Do you know what to do if your business has a personal data breach? A data breach action plan is essential. If you have a personal data breach, you must report it to the ICO, unless you are satisfied it is unlikely to result in a risk to the people affected. Check out the ICO guide on how to respond to a personal data breach so you knows what steps to take in an emergency.

The ICO has an array of free resources for SMEs, providing advice and guidance for on data protection, electronic marketing and freedom of information on its dedicated SME hub. And, of course, as they suggest, if you’re at all unsure, then contact your accountant and make sure you stay on the right side of the law…

Paul Mollison, M&S Accountancy and Taxation

Recent Posts