With the advent of the General Data Protection Regulation (GDPR) and with accountants and accounting firms holding many of the most sensitive categories of data as characterised under the regulation it is useful to review the Chartered Institute of Accountants (ICAEW) advice for compliance to its own members.
Other resources you may wish to review:
- ACCA advice for compliance
- Solicitors Regulation Authority guidelines for secure information exchange
The ICAEW rightly point out that, under GDPR, the firm has an obligation to be able to demonstrate compliance. They also note that the Regulation (and the Data Protection Act 2018) does not state exactly how this should be done. With this in mind, the advice centres around examining the strengths and weaknesses of each medium of communication.
The detailed advice is available for ICAEW members here: ICAEW Technical Advisory – GDPR Communicating Safely with Clients
Email: Unprotected Attachment
This is a no-no. In the ICAEW’s words it would be “ill-advised as it would be difficult to justify this approach complies with the principle of ensuring appropriate security”.
We’d agree. Email is fundamentally insecure. Not only is it easy to misdirect (how many people can claim that they’ve NEVER sent an email to the wrong person?), it can lead to multiplication (back-up copies, multiple versions of attachments) and is easy to intercept. If this is an every-day method of communication it is easy for a fraudster to impersonate and provides an easy opportunity to appropriate funds from either accountant or client.
It also doesn’t address the other major issue with email. Being so convenient it can be easier for a client to request information from a busy professional than it is for them to find it in their own filing system. With every interruption distracting staff from higher value work it’s a drain on resources and profitability for the accounting firm.
The ICAEW’s only advice for what to do if a client sends in personal data in an unprotected email is to remind them not to do it again. For anyone who has tried to get clients to change their habits (particularly turning up in mid-January with a Tesco bag full of receipts), this might seem like hope over experience. We’d say it leaves a massive risk and needs dealing with differently.
Password Protected Attachment
The ICAEW see this as slightly better – but it’s now putting an inconvenient step in the process. If a password is to be used the firm has two choices: keep the password the same on all documents (a security risk) or send all passwords via a different method of communication (inconvenient and a source of additional calls and emails from frustrated clients).
In the ICAEW’s words “whilst some firms may feel that they can justify this position, simple password protection alone may not always be considered appropriate and firms may look to a higher level of security”
Encrypted and Password Protected
There are many email encryption tools available and this certainly secures the content of emails. It protects stored emails and therefore protects against data loss if a device is lost or stolen.
The main challenges around email encryption surround convenience and incoming mail. It’s easy for a firm to implement email encryption and automatically encrypt outgoing emails. It’s less easy for the client to deal with encrypted emails. Worse still, the client will likely to continue to send unencrypted emails. Whilst some encryption solutions will encrypt them in the inbox it can still lead to uncontrolled versions of documents sitting on back-up files, on malware scanners and on devices.
The Information Commissioners Office (ICO) has this to say about email encryption:
Some types of encrypted email solutions can be complex to set up and require the sender and recipient to have compatible systems for the encryption and decryption process. This can cause problems when a data controller intends to send encrypted email between organisations, to members of the public, or to anyone who has not previously been contacted.
The ICAEW see a secure file sharing portal as the most secure option as it encrypts the data and ensures that members of staff are prevented from sending unprotected attachments in error.
They rightly point out that a firm must ensure that the servers on which information is held are within the EU.
We’d say this is good advice. But the secret of getting the most from any online solution is ensuring that it is right for the client. If it presents any kind of friction in the way they want to behave, they will default to requesting information via email and phone – creating costly interruptions and continuing to present a compliance risk.
Online portals and self-service are the way forward. Forrester research shows that the vast majority (72%) of clients would prefer to self-serve and that the cost to support is a fraction of dealing with email and phone enquiries.
For this to be realised, the experience for the client has to be genuinely ‘self-serve’. If they want information, it needs to be there. We’ve seen a number of extensions to Practice Management Systems that purport to provide online self-service. The reality is that it is a place where the Accountant can put documents they need the client to see and the client can access them. It is not a comprehensive library of documents.
We’d recommend that the client is able to access a library of the documents in a ‘shared drive’ format. Easy to navigate in a place that looks and feels like their every day file explorer (Windows Explorer, Finder on a Mac). If that place is secure, acts as a system of record (where every user can be sure that they are looking at the most up to date version of a document) and maintains detailed audit trails of who did what and when – then that is compliant, it’s simple and because it is easy to use it is more efficient for all parties.