Security and Compliance

What CPAs Need to Know About GDPR

John Lehman
May 24, 2018

The term GDPR is everywhere lately, but what is it exactly, and what does it mean for your firm?

Below, we’ll break down what this regulation is all about and what you need to know before it takes effect.

What is the GDPR?

Created by the European Parliament, the goal of the General Data Protection Regulation (GDPR) is to ensure businesses protect the personal data they acquire from “data subjects” in the European Union.

The GDPR defines “data subject” as “an identified or identifiable natural person,” which, in layman’s terms, essentially means any person who provides their personal data to a business. When you create an account on e-commerce sites like Amazon or eBay, opt in to an email newsletter, or even fill out an intake form at a doctor’s office, you’re providing your personal data to a business.

These businesses are called “data controllers,” which the GDPR defines as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” Professional service firms such as yours would also fall under this label.

What’s considered personal data?

Personal data protected by the GDPR includes (but isn’t limited to):

  • Full names
  • Residential addresses
  • Email addresses
  • Identification numbers (driver’s license, social security number, etc.)
  • Banking information
  • Web data (GPS location, cookies, IP addresses, etc.)
  • Medical records
  • Race and ethnicity
  • Sexual orientation
  • Political affiliation

When will the GDPR go into effect?

The GDPR officially takes effect on May 25, 2018. Failing to comply with the regulation could result in hefty fines—as much as $28 million or four percent of the offending company’s annual revenue, depending on which figure is larger. However, experts predict such penalties will probably be reserved for the biggest, most egregious offenders who aren’t actively taking steps to protect EU customers’ data.

How does the GDPR affect me?

It’s a common misconception that businesses not located within the EU don’t need to worry about the GDPR, as they believe EU regulations can’t be legally applied to them. The truth is, international agreements between various countries and the EU mean the GDPR affects businesses worldwide. Regardless of location, any business that collects personal data from customers in the EU must be compliant with the GDPR.

However, if your CPA firm doesn’t collect personal data from clients in the EU, then the GDPR probably won’t apply to you. Still, if you foresee your firm doing so in the near future, then it’s in your best interest to take steps toward GDPR compliance. Even if you never work with a client in the EU, the practices required for GDPR compliance can significantly improve your firm’s cyber-security systems.

What do I need to do to become compliant?

Privacy policies

Start by creating a privacy policy if you don’t already have one. Under the GDPR, your privacy policy must contain simple language that clearly states how you collect client data and what you’re doing with it. You must also disclose whether your business will be sharing a client’s data with a third party and how long you intend to keep their data. Your privacy policy must be easily accessible on your site, or made readily available upon request.

Demonstrable consent

The GDPR also requires businesses to obtain explicit consent from a customer in the EU before using their personal data for the purpose of business. For example, if you need to collect financial and tax documents from a client to complete your work for him, you need to obtain the client’s consent to collect and hold this data and for the ways in which you intend to use it. This can often be achieved by adding a clause to your client intake forms, or adding a box to your online forms that respondents can check to indicate consent.

Expanded rights

New rights granted to individuals in the EU under the GDPR include the Right to Access and the Right to be Forgotten. The Right to Access allows individuals in the EU to obtain their data from a data controller upon request. The data controller must provide this data to the individual at no cost. The Right to be Forgotten allows individuals in the EU to request any data controller who possesses their personal data to purge it from their records.

Data management

It’s vital that you know where your clients’ personal data is so you can retrieve it in the event of a request. If this data is stored on your machines, make sure they are stored in an encrypted digital locker and can only be accessed by authorized personnel. If any data is handled by a third party, such as an online payment processor, you’ll need to reach out to them to retrieve it if you receive a request.

It’s also your firm’s responsibility to confirm that any request for data is legitimate. This can be accomplished by checking the requestor’s identity against personal data you’ve already legally obtained, such as asking them to recite their home address or phone number. If you can’t verify that the request is legitimate, then the request must be denied.

What happens next?

The GDPR is still relatively new as of this writing—its full impact will be seen in coming months and years. Though the GDPR may seem imposing, most professional service firms have nothing to fear. As long as you evaluate current data security practices (and adjust where necessary), adhere to new consumer rights, and maintain transparency about personal data usage, your firm should be in the clear.

If you want to learn more about the GDPR, you can read the regulation in full on its EUR-Lex page.