With the General Data Protection Regulation (GDPR) now in force we take a look at the guidance for Accounting firms from their professional bodies (see also our review of the ICAEW’s guidance).
The ACCA issued their guidance to their membership in April 2018 via their technical factsheet on GDPR. This document provides a broad basis of advice and definition, but contains a dedicated section on its suggestions for secure ways to communicate personal data.
By their nature Accountants and Accounting firms hold some of the most sensitive categories of data as characterised under the GDPR. In an increasingly digital world, how professionals and their clients exchange this data is a vital area for concern.
The ACCA recommend that a risk-based approach should be adopted when deciding on the level of security that is needed in relation to information. It references the Information Commissioners Office (ICO) guidance:
The GDPR requires personal data to be processed in a manner that:
- ensures its security,
- protects against unauthorised or unlawful processing, and
- protects against accidental loss, destruction or damage
Based on this, the ACCA review each method of communication.
In their words “The GDPR does not introduce a ban on the transfer of personal data or tax returns by email but there are risks in using this method”. This is certainly true, but possibly understates the risk. Considering information such as payroll data, personal tax information or other personal financial information is regularly exchanged then email is a particularly risky medium.
Email is readily intercepted, can be modified by cyber-criminals and how many of us can claim to have never sent an email to the wrong recipient? Considering the ICO advice above, email presents a risk in all 3 areas. Our advice would be to never entrust sensitive personal information or confidential documents to email.
There are many email encryption tools available and this certainly secures the content of emails. It protects stored emails and therefore protects against data loss if a device is lost or stolen.
ACCA advice is that encryption is not mandatory under the Data Protection Act 2018 (DPA) or the GDPR but it can be one method that organisations can use to protect against loss, destruction or damage of data.
The main challenges around email encryption surround convenience and incoming mail. It’s easy for a firm to implement email encryption and automatically encrypt outgoing emails. It’s less easy for the client to deal with encrypted emails.
Worse still, the client will likely to continue to send unencrypted emails. Whilst some encryption solutions will encrypt them in the inbox it can still lead to uncontrolled versions of documents sitting on back-up files, on malware scanners and on devices.
The Information Commissioners Office (ICO) has this to say about email encryption:
Some types of encrypted email solutions can be complex to set up and require the sender and recipient to have compatible systems for the encryption and decryption process. This can cause problems when a data controller intends to send encrypted email between organisations, to members of the public, or to anyone who has not previously been contacted.
Dropbox (or Public File Sharing Applications – e.g. Drive, OneDrive, Box)
One alternative to emailing information is to share access to it via a public file sharing application. Dropbox is an extremely popular application.
The ACCA say that members need to take their own view on the security of using progams like Dropbox. The ICO suggest that the more sensitive the data, the less appropriate it will be to use ‘off the shelf’ cloud storage where the data controller is not in control of the terms and conditions.
Our advice is to steer clear for sharing confidential or sensitive information outside of your own domain. Dropbox is a perfect example given that its data-centres are spread worldwide, meaning that unless you specify European data storage only (which usually comes with some restrictions on the plan and payment options that you take) you run the risk of sending clients data outside of the EU.
Our own document on Public File Sharing Applications is available to download as one of our resources.
The ACCA has this to say:
These days many firms use portals to receive information from clients and send out tax returns. Use of portals is not mandatory but it can be a useful tool in maintaining data security.
Online Portals are very much a step in the right direction, but the secret of getting the most from any online solution is ensuring that it is right for the client. If it presents any kind of friction in the way they want to behave, they will default to requesting information via email and phone – creating costly interruptions and continuing to present a compliance risk.
Online portals and self-service are the way forward. Forrester research shows that the vast majority (72%) of clients would prefer to self-serve and that the cost to support is a fraction of dealing with email and phone enquiries.
For this to be realised, the experience for the client has to be genuinely ‘self-serve’. If they want information, it needs to be there. We’ve seen a number of extensions to Practice Management Systems that purport to provide online self-service. The reality is that it is a place where the Accountant can put documents they need the client to see and the client can access them. It is not a comprehensive library of documents.
We’d recommend that the client is able to access a library of the documents in a ‘shared drive’ format. Easy to navigate in a place that looks and feels like their every day file explorer (Windows Explorer, Finder on a Mac). If that place is secure, acts as a system of record (where every user can be sure that they are looking at the most up to date version of a document) and maintains detailed audit trails of who did what and when – then that is compliant, it’s simple and because it is easy to use it is more efficient for all parties.