GDPR 3 months in: what accountants need to know
It’s now been three months since GDPR became law, so we’re taking a moment to discuss how the accountants we speak to are finding it, and what challenges still lie […]
It’s now been three months since GDPR became law, so we’re taking a moment to discuss how the accountants we speak to are finding it, and what challenges still lie ahead – in particular, how technology is helping (or hindering!) compliance.
The email conundrum
For many years, exchanging important and sensitive documents with clients by email has been the norm. But accountants have had to re-think this standard part of daily work life, as they come to terms with the recent and significant tightening of data protection laws.
Some of you have started to use file sharing sites, but are still working through how to manage these for multiple clients, while more tech-savvy businesses have opted for more complex software.
GDPR has significantly altered the way accountants work, and properly adopting new technology can help businesses comply with all the requirements under the legislation. Accountants often deal with clients who are reluctant to switch away from emails, even after hearing the new GDPR rules explained.
It therefore presents an opportunity for accountancy practices to establish themselves as trusted business advisers, capable of not only gathering and analysing client information, but also protecting business data, whatever the sensitivity, using software that offers security, speed and flexibility.
We’d love to hear what your company is doing and what wisdom you can share with your fellow accountants.
The Blockchain conundrum
While many get their heads around data protection, the other growing concern for accountants currently is how to interact with Blockchain – and how that can work alongside GDPR.
One of the main questions that arises from accountants we work with is understanding the difference between public and private Blockchain. Put simply, a public Blockchain is completely open and can be accessed by anyone, which implies little to no privacy and only supports a weak notion of security. On the other hand, private Blockchain networks require an invitation. Only the entities participating in a particular transaction will have knowledge of it or access to it.
Whilst its decentralised database eliminates the mistrust toward unaudited financial statements, the advantage of Blockchain’s immutability could also be a downfall when it comes to GDPR compliance. Within seconds, all the transactions conducted are verified, cleared and stored in a block that is linked to the preceding block, thereby creating a chain. This structure permanently timestamps and stores exchanges of value, preventing anyone from altering the ledger. Recent implementation of GDPR, however, means that significant rights under the GDPR (specifically the right to be forgotten and the right to rectification) directly conflict with how Blockchain operates.
For most accountancy firms operating from a centralised database system, a deletion request should, in theory, be simple. All data that does not pertain to a business need must be removed. Whilst it’s true that firms will need to overcome common issues such as dissolute data across multiple servers, sourcing relevant data and deleting it permanently should be a task that firms are able to react to.
For Blockchain, this process is anything but simple. Its whole premise is built on the fact that records can’t be changed. If someone were to request the removal of their data from a chain, there would be significant logistical problems to overcome. Firstly, editing the chain breaks it, which then undoes the good of the ledger. There is also the fact data is saved across multiple nodes, so truly deleting information would be a challenge especially in a publicly operated Blockchain.
However, GDPR focusses on data controllers and their requirement to process data legally and fairly. And it should be remembered that it is firms operating private Blockchains who control their implementation and use, so data responsibilities would lie with them. This will mean the nitty-gritty of the GDPR will determine data deletion requests. For example, is the business legally compelled to retain the data? For tax records, the data should be recorded for seven years as it may need referring to in years to come by HMRC. For other, more day-to-day uses, such as project management, then the data will become obsolete, meaning it should be deleted.
We hope this all makes for some interesting lunch-time reading! Something for you (and your bosses) to be thinking about.