ICO Urges Accountants To Provide GDPR Compliance Support

Written on 03 April 2023.

The Information Commissioner’s Office has recently called for accountants to play their role in SMEs' data protection compliance. For a lot of accountants, this news has not gone down well as many do not believe that it is their role or responsibility to talk to their clients about GDPR, particularly as it is not generally their area of expertise. Interestingly the ICO did not contact any accountants to get their view on this proposal.

In this article we will explore exactly what the ICO has proposed, what this means for accountants, and how your accountancy practice could potentially use this to your advantage to secure new business or increase the satisfaction and retention rates of your existing client base.

Why does the ICO want accountants to provide GDPR compliance guidance to SMEs?

The ICO is aware of the vital role that accountants play in helping SMEs. Recent research carried out by the UK regulator based on 200 SMEs in 2021 showed that 34% of clients trust their accountant for advice. Because of this, the ICO would now like their role to extend to prompting clients to get their data protection compliance right. Not only would this benefit the customers who already go to their accountants for advice, it would also encourage the remaining 66% of SMEs who currently do not. Knowing that they can go to their accountant for advice on GDPR will add value to clients and build trust; knowing that their accountant has the knowledge and expertise to offer advice on GDPR will be a huge asset.

What does the ICO want accountants to do?

The ICO has created a list of 7 questions that they would like accountants to ask their SME clients about their data protection compliance.

1. How much do your clients know about data protection compliance and the ICO?
2. What types of personal information will you collect on a day-to-day basis?
3. Why are you holding this personal information?
4. What security measures do you have in place?
5. Do you have a privacy notice?
6. Do you know what a Data Subject Access Request (DSAR) is?
7. Do you know if your business has a personal data breach?

How much do your clients know about data protection compliance and the ICO?

It is always useful to begin by understanding a client’s level of knowledge; to establish whether or not they have heard of the legislation and whether they have given any thought to how they will apply it to their business. Do they understand the importance of handling personal data correctly and are they aware that they can have access to the free resources that the ICO offers?

What types of personal information will you collect on a day-to-day basis?

This is where accountants can ask their clients to make a list of the personal information they have or will have. They need to be aware that they are accountable for all of it.

Why are you holding this personal information?

This is the time to ask “Why?” Does the client know why they are holding this information? Is it necessary to hold everything that they have?

What security measures do you have in place?

This is a very important question. Is that personal information protected? What security measures are in place? If there are any risks that the information may be leaked or misused then stronger measures must be put in place to secure the information.

Do you have a privacy notice?

People need to be told why their information is being held, what will be done with it and how long it will be kept before it is safely disposed of. This is normally done via a privacy section in your terms and conditions or via a dedicated privacy notice.

Do you know what a Data Subject Access Request (DSAR) is?

It is important to bear in mind that any customer or member of the general public has the legal right to ask what personal information is held about them.

Do you know if your business has a personal data breach?

Even the strongest security measures should have a data breach action plan, however unlikely it is that a personal data breach should occur.

What do accountants think of the ICO request?

This new suggestion from the ICO has not been popular with accountants and there have been some common objections.

• A lot of accountants have raised the issue that they do not feel qualified to be offering legal advice to clients as it’s not traditionally the area of expertise for accountants.
• Accountants have raised concerns that advising clients on GDPR will add to an already stretched workload and it is another thing that they are now expected to manage
• Pay is something else that has been queried. Are accountants going to be paid for the extra work?

What are the benefits for accountants?

Whilst there are obvious concerns around this new suggestion from the ICO, it is worth pointing out some benefits too;

• It provides your firm with a competitive advantage as you will be offering a service that other accountants may not offer
• You can outsource your GDPR client support to Databasix without you needing to take on the work directly, thus providing you with a range of additional revenue streams for minimal effort on your part
• Alternatively you can move the task away entirely by signposting yout client to the Databasix team
• Widening the scope of knowledge and support that you provide clients with, increases their dependency & trust in your team and your company, which can lead to higher retention rates as clients can no longer simply compare you with other accountancy firms on just financial aspects; they’ll be inclined to factor in the other value you add to their business
• The potential to charge slightly higher fees to reflect additional services

Free resources for SMEs

The ICO has a hub of GDPR-related resources for SMEs such as;

• A handy library of resources
• The benefits of data protection laws

In addition, Databasix have a wealth of user friendly tools and information including:

Articles:

• Getting started with data protection - top tips for beginners
• Data protection fee: How much is it & who needs to pay?
• Glossary of GDPR related terms
• What is a DSAR & how long do you have to respond?

Infographics:

• ICO and your business
• GDPR rights of data subjects
• GDPR made simple

Self-assessments:

• Understanding how well place you are to respond to a DSAR or data breach

Videos & Social Media:

• The Databasix YouTube channel is packed full of practical videos to support data protection compliance.
• You can also follow us on Facebook which provides you with a fast & easy way to keep up to date with the latest news, insights and tips

Want to get ahead of the competition? Databasix provides three routes of support for accountants.

We offer a number of GDPR training courses and support to give you the knowledge and expertise to advise your clients if you’re happy to take on the work in-house.

Alternatively, we also provide a number of solutions to help accountants support their clients in different ways:

1. Outsource GDPR compliance support to Databasix as a “white label” service. This way accountants can comply with the ICO’s request, and provide value-adding services for clients, whilst not having to perform the work themselves.
2. Signpost clients to us and our team can help them from that point which will take the workload off the accountant.
3. Or we can provide the accountancy firm with a standard FAQs-style infographic that will answer the most commonly asked questions.
   
   

Please contact us to find out how we can support you