Accountants to stop questioning if they are GDPR compliant - interview and checklist by Bill Mew
We had the pleasure to interview the advisor behind our latest GDPR Whitepaper and checklist that was brought to the world to help accountants stop second-guessing whether they are GDPR compliant, especially when it comes to the communication software they are using with their team or their clients.
Our latest interview with an accountant had a little plot twist as we enjoyed talking to the one and only Bill Mew - a digital ethics campaigner and CEO of CrisisTeam UK, Bill is an entrepreneur and a high-profile opinion leader who seeks to strike the right balance between meaningful protection of civil liberties, such as digital privacy and cybersecurity and maximising the economic and social value when it comes to AI, cloud, innovation and digital transformation.
Bill has also been profiled as the top global influencer for privacy and digital ethics and helped lead the crowdfunding to launch None of Your Business, an NGO for pan-European privacy enforcement, bringing the main cases against Facebook and others on the first day that GDPR was enforced'
When it comes to innovative use of technology, he was listed as one of the global top 100 cloud influencers (second highest in Europe), and he is ranked in the global top 10 for smart cities, govtech and other digital transformation themes.
So you may be asking, why should accountants worry so much about being fully GDPR compliant? Well, a very recent example is where more than two dozen Wall Street firms were fined $1.8 billion for failing to maintain and preserve electronic communications and for their use of unapproved communication such as WhatsApp to conduct business."
The message is clear: firms should stick to strict policies when they are using communication systems and steer clear of non-approved methods for communication on mobile devices or personal phones, leaving no room for ambiguity and “It is advisable to adopt a zero-tolerance posture for any policy violations.”
But don’t just take our word for it… Check the discussion with Bill Mew that brings additional clarity on this subject. All the details below or you can watch the video if you are short on time!
' https://www.grcworldforums.com/privsec-focus-enterprise-risk/bill-mew/5290.article
'' https://news.bloombergtax.com/financial-accounting/beware-of-messaging-app-crackdown-on-wall-street-19
What is the biggest issue accountants face when it comes to GDPR compliance and cyber security?
As the accountancy world grows bigger and adopts a more cloud-based, digital approach rapidly, so does the risk of cyber breach increase. Long gone are the days where an antivirus software or a firewall is sufficient protection against cybercriminals and since accountants usually hold a lot of valuable information such as financial details, tax IDs, bank account details, payroll data, possible future strategies and so on, they are certainly a chosen targets from hackers and cybercriminals.
There is definitely a need to ensure this sensitive information stays safe against a possible cyber attack, as a breach can risk both the client’s private information as well as cost the accountant their reputation and a large fine.
“We have a significant issue in terms of cyber security and information security in general when it comes to accountants and how they serve their clients” shares Bill on our chat last week.
While cyber attacks hold businesses to ransom forcing them to invest more money in cyber security, Bill Mew shares that this is not always a straightforward process, making it an extreme challenge for accountants and their clients. This is mainly based on the fact that many organisations that accountants deal with a primatial focus on ROI metrics such as profit and revenue, without enough on ROR (Return-on-Risk) department, with sufficient budget for those that are responsible for compliance and security.
“But as accountants not only are you helping an organisation to measure and account for performance, you also not only need to make them aware of their risk orientation themselves because that’s very important, [without further] contributing to that risk orientation. You need to think about the way you, as an accountant, are interacting with clients.”
So, sitting as an accountant you want to be serving your client, ensuring that you are not contributing to any of the problems your clients may already have (cyber security and compliance) and you don’t actually want to be getting your own accounting firm in the same trouble yourself. This means that regardless of the accountant’s client, there is the need to comply and the responsibility lies into accountants' hands.
“Ideally, you want your client to be risk-aware and to have a sensible appreciation of the need for [GDPR] compliance, but also as an accountant - if a client says ‘let’s communicate on WhatsApp cause it’s easy’ - you should take the responsibility to caution them and say ‘Hold on, there is a risk here not just to me, there is a risk to you because you are not doing something that is in accordance with what we both need to do in terms of compliance’.”
So despite the challenges an organisation could be internally facing to ensure they are GDPR compliant and reduce the risks associated with cyber security, accountants need to be aware of the impact that they can have both with their chosen method of communication and the advice they could give to the businesses they work with.
What could that mean for your firm? And are you using a communication software provider that could get your accountancy practice and your clients in trouble?
Failure to be GDPR compliant puts both large and small practices at risk
There are many reasons why it is important to take GDPR compliance seriously outlined in the Whitepaper, to protect data, to ensure clean audit trail and to allow control over that data, naming just a few.
There are also very sensible reasons why you need to steer clear of using platforms like WhatsApp for communication. Recently, banks on Wall Street were collectively fined a total of $1.8bn dollars because they weren’t complying with acute record keeping and much of it was for the use of WhatsApp.
In July 2019, British Airways was fined £183m for a security breach, the first fine to be publicised since the introduction of the General Data Protection Regulation (GDPR) in May 2018'''
This clearly demonstrates that firms need to take record retention seriously or they risk falling afoul of the law. Best practice requires using a centralised platform for communications and record keeping which is also tamper proof. Chat apps, like WhatsApp, allow tampering because messages can be deleted or employees can leave your firm or your clients’ companies, taking vital correspondence with them.
Though this example focuses on large corporations, many accountancy firms regardless of their size should not underestimate the level of threat this poses to them, too, especially after considering the amount of personal data they deal with on a daily basis.
Bill Mew’s words stand behind this: “We have already seen on Wall Street fines on 16 different banks totalling $1.8bln - this is seeing a GDPR fine at a level that has never been seen before. So far much of this hasn’t touched accountants - that’s only because it hasn’t reached them yet. It doesn’t mean that they won’t get fined heavily for doing exactly the same things.”
In his opinion, if as an accountant you lack GDPR compliance and use WhatsApp or other inappropriate software for communication, not only you are opening yourself up to fines but you are also involving your client base, too. “Let’s say you are dealing with directors and discussing how you account for their financial performance. If there is later a dispute or an enquiry and you haven’t kept accurate records that are tamper-proof and that are immutable you could also be opening yourself and your client up for other difficulties”
Should SMEs accountancy firms have this on their radar? Definitely.
“If there is an accounting firm and they are not keeping accurate tamper-proof records of their communication with their clients, they need to be concerned first of all - what happens if there is ever a misinterpretation or dispute to any advice they’ve given. If a client challenges you and you are unable to show a tamper-proof record of exactly what advice you gave, you have undermined your defence in the event of any misinterpretation or dispute.”
And the consequences could involve ending up in court (Yikes!) where having an absolute tamper-proof record will be your best defence.
“It is absolutely essential for accountants to have that”
So don’t think twice and check which boxes your communication software needs to tick to be considered GDPR compliant and away from trouble.
'''https://www.icaew.com/technical/technology/cyber-security/cyber-security-articles/cyber-security-how-accountancy-should-address-risks
What is the best approach to make sure that accountancy firms are compliant?
“So I spoke a little bit about the difficulties between having an ROI (Return-on-Investment) focus and a ROR(Return-on-Risk) one [in an organisation]. If accountants can be aware of that for their clients, then they can provide sensible advice to them on how they should communicate in a responsible manner and how they should treat any personal identifiable information that they share between them ensuring that they are doing that in a fully compliant manner.
Also not only should they be totally doing this with clients, they should also be doing this internally - within an accountancy organisation you shouldn’t just have a purely ROI focus, you should have an appreciation of risk in terms of the potential fines or reputational damage that you could incur if you fail to be compliant.
Normally by the time you are facing a fine, it is already too late. So it’s important, according to Bill, that your accountancy firm has the right risk orientation, the right compliance orientation from the get-go.
“This is going back to an accountant’s reputation which is ultimately their greatest asset - if they are being cavalier with compliance they are putting this asset at risk. What is more, they are also endangering their clients’ safety and reputation”, shares Bill.
A lot of this is just going into a little bit of depth around some of the risks that a lot of people are not aware of, and using an appropriate communication software is often an area that is easily neglected.
What about Brexit?
The government has recently put some proposals under the Data Protection and Digital Information bill that would have done a whole lot of change. The problem with that is that any organisation in the UK that either wants to trade with Europe or that holds the data of an European citizen still has to comply. So you could be a UK accounting firm and you may have no clients in Europe, but one or two of the key clients you deal with could be EU citizens, and therefore you have to comply with the EU version of GDPR.
If the UK government then introduces a regulation around a UK version of GDPR which is divergent in any way then all of a sudden you need to be complying simultaneously with two different versions at the same time. So, there is no effective saving from having a simplified version in the UK, because you still need to comply with the European law, so you would be just creating extra bureaucracy.''''
There is more information about what Brexit changed in the full GDPR White paper.
''''https://www.accountingweb.co.uk/tech/tech-pulse/the-dangers-of-chaotic-gdpr-reform
Why should accountants and finance professionals restrain from using WhatsApp or Facebook messenger for communication?
“As a professional organisation and accountant, your reputation is everything to you. And if you are going to be cavalier with compliance, either in terms of your messaging communications, or your handling of private information or the way in which you deal with clients, then you are insufficiently aware of what the risks are and the first thing that would go is your reputation.”
And that is really hard to build back up.
According to Bill, “essentially, accounting firms don’t have much when it comes to assets. Their greatest asset is their brand and reputation. And that’s why I go back to the ROR and ROI focus - if you are totally focused on ROI then you will be focused on revenue and profit, and you could fail to appreciate the potential risk to your reputation and not adequately adhere to your client’s obligations.”
In other words, if things go wrong and there is a dispute with a client or unnecessary regulative involvement or potentially a cyber incident then all of a sudden the accountant’s firm is going to witness their brand being damaged, causing a massive impact on their greatest asset - their reputation.
GDPR has been in place for 4 years now and in Bill Mew’s words “If you are not taking it seriously, you are already in a level of trouble”. There are additional complications that have occurred since there was a challenge against Facebook that overturned the privacy shield - a data sharing agreement between Europe and America. Since the data sharing agreement between Europe and America changed since there was a challenge against Facebook, there is now an extra obligation in order to be GDPR compliant where you need to be taking supplementary measures if you are dealing with a US technology company. Whether that is a cloud provider, a SaaS provider or anything like that.
“Not only do you need to make sure you are GDPR compliant, but if you are using a US technology firm for your cloud hosting or any of your applications you also need to be taking these supplementary measures to make sure that you are compliant. Unless you are going to read this paper you are probably not gonna be aware of what the implications here are.”
Secondly, if you are giving advice to clients or communicating with them via any communication software then inevitably not only are you at risk of sharing personal information across your communications channels, but you probably need to be really seriously thinking about having a tamper-proof record of all of your communications. And if you are using systems like WhatsApp, not only does it not comply with GDPR, you also don’t have a tamper-proof record of those communications. And neither do your clients.
”Bill, how can accountants go along to ensure they are GDPR compliant and adhere to the laws?”
Start by taking a look at your current software, the level of communication and whether it is GDPR compliant both ways. My advice? Have a look at the GDPR checklist because it has all the answers.