ICO calls on accountants to help SMEs with data compliance

From assisting SMEs with intricate tax requirements to ensuring businesses meet their financial and regulatory obligations, accountants have long acted as trusted advisors to their SME clients.

Now, as the landscape of data security and protection continues to evolve and, with it, the need to improve the security posture of UK SMEs, the Information Commissioner’s Office (ICO) is urging accountants to leverage their trusted advisory role and help SMEs understand and meet their data protection obligations, particularly how to meet compliance with the UK-GDPR. 

In this blog post, we will delve into the ICO’s recent guidance, explore its implications, and discuss how accountants can assist their SME clients in complying with the GDPR and safeguarding their business data.

‍

Understanding the ICO’s Guidance: 

‍

According to research conducted by the ICO, over a fifth of small businesses seek guidance from their accountants regarding security and data compliance. While accountants aren’t expected to become data compliance gurus, their expertise in the broader regulatory landscape often positions them as valuable advisors to their clients.

Recognising this, the ICO is urging accountants to familiarise themselves with the data security and protection requirements mandated by the UK-GDPR. This initiative aims to not only enhance the data protection practices of SMEs across the UK but also empower accountants to fulfil their data protection responsibilities, especially in light of the growing number of cyber security attacks against accountancy and payroll firms over the last three years.  

What does the guidance entail?

The ICO is calling on accountants to guide their clients through 7 key data protection questions. These questions have been designed to build their clients' awareness of their obligations under the UK-GDPR and get them to think about how they will implement the processes which will enable them to meet compliance.

Let’s dive into these critical questions:

• How much does your client know about data protection, compliance and the ICO? This crucial question aims to increase your clients' awareness of their obligations under the UK-GDPR while familiarising them with the ICO, what they do and some of the services they offer to SMEs. As accountants often engage with businesses from their early stages, this question presents the perfect opportunity to assist new SME owners in establishing a strong foundation for data protection right from the start.

‍

• What types of personal information will your client collect on a day-to-day basis? Help your clients think about the personal information they handle regularly and where it is stored. While going through your clients’ exact data collection process is not necessary, getting your clients thinking about what counts as personal data is crucial in ensuring they store it securely.

‍

• Why is your client holding this personal information? Emphasise the importance of fair, lawful and transparent data processing and how this is a legal obligation under the UK-GDPR. The ICO provides a helpful interactive tool to help your clients understand the boundaries within which they can process data, including what type of consent they require and which processes they’ll need to implement internally to ensure personal data is processed correctly.

• What data security measures does your client have in place? Again, the aim of this question isn’t to test your own cyber security knowledge but to get your clients thinking about whether their current cyber security posture aligns with the type of sensitive information they’re handling. For more information on SME cyber security, look at our blog detailing 7 ways your SME clients can begin to secure their businesses.

• Does your client have a privacy notice? If your client has a website, they’re obliged to have and publish their own data privacy notice detailing how they collect, store and process information. If your client uses tracking software, they must also have a cookie policy on their site detailing which tracking cookies they use and what they’re used for. 

• Does your client know what is a Subject Access Request (SAR)? Educate your clients that their customers have a right to request access to the personal information your clients hold about them through a Subject Access Request. Click here for a step-by-step breakdown of how to handle SARs.

• Does your client know what to do in case of a personal data breach? This question is crucial for both accountants and their clients alike. It is designed to help your clients start thinking about how they would handle a potential data breach, the avenues through which cyber criminals could access their data, and which steps they would take to limit any further data loss. 

‍

In conclusion, while accountants may not need to become experts in the intricacies of data privacy legislation like the UK-GDPR, they can still play a crucial role as a valuable resource for their clients. By familiarising themselves with the basic principles of legislation like the UK-GDPR, accountants can help SMEs increase their awareness of their legal obligations regarding data protection, particularly during the early stages of building their businesses. Additionally, by keeping data security and privacy top of mind, accountants can ensure their firms' and clients' sensitive data remains protected.

‍

At Naq, we recognise the challenges SMEs, especially accountants, face when building a robust cyber security posture and meeting their data compliance obligations. Our automated platform enables accountancy firms across the UK and Europe to implement the necessary security measures they need to keep their clients' data secured while effortlessly meeting their legal data compliance obligations, including the UK-GDPR, Cyber Essentials, and more.

‍

For additional guidance on how to help your clients navigate their data compliance requirements, or to learn more about how Naq can help you meet your data protection obligations and keep your customers' data secure, click here.