Data protection measures and practices that accounting firms and software providers must enforce

21st July 2020

The General Data Protection Regulation (GDPR) was introduced in a bid to strengthen the protection of data and refresh existing legislation.

With it came new measures and practices for any business handling the personal data of its clients. Not just the way that it is stored, but also how customer information is used, transmitted, and collected. For accountants and for the software providers they use, where handling confidential data happens multiple times daily, this was huge news.

The impact of data handling rules for fintech and its users

Unfortunately, there’s no such thing as a cookie-cutter approach, where one data management system fits all businesses of all sizes. Probably the closest thing to a flexible solution are the cloud-based software providers. Not only do they supply the software, they supply the remote-server which stores the information going through it.

Accountancies taking ultimate responsibility for their clients’ data need to see that fintech is highly secure. Equally, the tech firms must meet stringent security requirements in order to get the appropriate licensing. It’s a tightly controlled sector, and that’s fair enough. Nobody wants their personal information to start leaking out everywhere.

Scotland to trial four-day workweek
Trending
Scotland to trial four-day workweek

What data protection measures must an accountancy firm take?

Ensure you have a registered data controller

Somebody within the company must be registered with the Information Commissioner’s Office (ICO) as a data controller. This isn’t a new formality so even for those established before GDPR this was probably already a box ticked.

Carry out an internal audit

Audit existing processes and systems against the compliance requirements will reveal the holes which need improvements.

Common weaknesses tend to be in how data is received or transmitted. Any software being used should also be compliant in the way data is treated and transferred.

For instance, bank feeds connect a user’s bank account to their bookkeeping software, automatically logging transactions. From bank to software and the connection in between, it’s a data sensitive process. This is why they’re subject to stringent regulation.

Create a Privacy Policy or ‘Privacy Note’

This is a public document which communicates the data protection measures you are taking. Practices are required to provide clients with access to this as soon as any information is requested from them. This includes the sign-up form.

There are plenty of official resources on the internet to help write a privacy document but in general it includes:

  • Details and identity of the company and its Data Protection Officer
  • Information regarding the transfer of data to any third parties
  • The retention period of the data (i.e. how long you intend to keep hold of it for)
  • How to withdraw consent at any time (where applicable)

Requesting client consent

As well as signposting to a privacy document when requesting information, businesses are also obliged to get consent for acquiring someone’s data. The opt-in must be deliberate, too – no pre-ticked or opt-out boxes here! This is especially important when designing website forms.

Provide access to personal data

Any individual must have readily available access to the information stored about themselves, upon request. This must be done so free of charge unless there are mitigating circumstances which make a fee viable, such as if the information is requested repeatedly.

Letters of disengagement

If and when a client decides to leave a firm, a letter of disengagement must be provided. It should clearly state how long their information will be retained before it is destroyed. The document should also outline exactly how this information will be disposed of.

If a controller or processor of data was to fail in complying with the regulations, they could be subject to a penalty of up to 4% of the company’s annual turnover or around £17.8 million – whichever sum is the larger of the two. So, failing to comply with GDPR is not only bad practice and inconsiderate towards customers, it can also be potentially fatal for a business when it comes to its finances.

The list above is by no means an exhaustive list of what is required of accounting firms around data protection. If this is something you are addressing in your business; we recommend seeking the advice of a legal professional for more in-depth information.

Pandle is a free accounting software designed to save time and reduce errors in bookkeeping. Learn more about using Pandle with your accountancy and bookkeeping clients.

We think you'll like:

Bekki Barnes

With 5 years’ experience in marketing, Bekki has knowledge in both B2B and B2C marketing. Bekki has worked with a wide range of brands, including local and national organisations.

The rise of loyalty apps

Sue Azari • 17th January 2025

Increased choice and a consumer more price sensitive than ever before, has made customers far more likely to shop around for the best deals. Price is now the number one factor in brand consideration. In an effort to bag a bargain, loyalty programs have become increasingly popular with consumers, with nine out of ten in...

Rocket launch challenges Elon Musk’s space dominance

Professor Sultan Mahmud • 16th January 2025

Amazon founder Jeff Bezos’s space company has blasted its first rocket into orbit in a bid to challenge the dominance of Elon Musk’s SpaceX. The New Glenn rocket launched from Cape Canaveral Space Force Station in Florida at 02:02 local time (07:02 GMT). It firmly pits the world’s two richest men against each other in...

Giesecke+Devrient launches new Smart Label at CES 2025

Giesecke Devrient • 06th January 2025

G+D has today launched the G+D Smart Label, its innovative tracking solution that transforms any package into an IoT device. Ultra-thin and only slightly larger than a credit card, the new Smart Label proposition has been jointly developed by G+D in conjunction with its hardware partner, Sensos to enable cost-effective, accurate location tracking for a...

Choose an AI solution to transform beyond technology

Kit Cox • 09th December 2024

The first step is knowing exactly what your business wants to achieve with AI; think faster, smarter and more efficient. Once you know what you are working towards, you can start looking for a solution that can help you make it a reality. AI integration can feel like a daunting task at the beginning, so...

A Roadmap to Security and Privacy Compliance

John Lynch Director of Kiteworks • 04th December 2024

Only by understanding the current regulatory environment and implementing robust data protection measures, can organisations enhance their security posture, ensure compliance, and build resilience against the latest cyber threats. This article provides a comprehensive roadmap of how to do it.

Data-Sharing Done Right: Finding the Best Business Approach

Bart Koek • 20th November 2024

To ensure data is not only available, but also accessible to those that need it, businesses recognise that it is vital to focus on collecting, sorting and governing all the data in their organisation. But what happens when data also needs to be accessed and shared across the business? That is where organisations discover a...

Nova: The Ultimate AI-Powered Martech Solution for Boosting Sales, Marketing...

Erin Lanahan • 19th November 2024

Discover how Nova, the AI-powered engine behind Launched, revolutionises Martech by automating sales and marketing tasks, enhancing personalisation, and delivering unmatched ROI. With advanced intent data integration, revenue attribution, and real-time insights, Nova empowers businesses to scale, streamline operations, and outperform competitors like 6Sense and 11x.ai. Experience the future of Martech with Nova’s transformative AI...