What Accountants Need to Know About New EU Privacy Regulations

The Financial Accounting Resource Center™ is a comprehensive research service that provides the full text of standards, the latest news from the Accounting Policy & Practice Report ®,...

By Courtney Rozen

U.S. accounting firms beware: The European Union’s new data privacy regulations may apply to you, too.

The General Data Protection Regulation, which took effect May 25, regulates how companies process personal data. Companies that reside in the EU, serve its residents, or monitor their behavior must comply. Potential violators could face a maximum penalty of 4 percent of global annual revenue or 20 million euros ($23.5 million), whichever is higher—steeper than under the EU’s 1995 Data Protection Directive.

For accounting firms, GDPR compliance isn’t a quick information technology fix. Firms may need to make system and personnel changes and must assess risk, appoint people, and evaluate vendors to comply.

They also must manage a growing number of other GDPR-like privacy regulations, such as a new California privacy law, and address any uncertainty about how the EU rules will be enforced.

“GDPR could become effectively a global standard,” said Stephen Bonner, cyber risk partner at Deloitte LLP in London.

Here’s what accounting firms need to know about GDPR:

Assess Risk

The GDPR doesn’t just apply to multinational CPA firms with offices in the EU. Firms established outside the EU—that either serve the bloc’s residents or monitor their behavior—have to comply, too.

While Americans view the use of their personal information “as contractual and a matter of negotiation,” Europeans see it “as a matter of personal privacy,” Bonner said.

Small and mid-size firms that serve EU-based clients shouldn’t ignore GDPR because it might apply to them, said Donny Shimamoto, managing director of IntrapriseTechKnowlogies LLC, a Hawaii-based CPA firm that advises companies on risk management.

Firms that are subject to GDPR requirements should conduct a data protection impact assessment—a risk assessment—to determine what data they have and where it is located. From there, they can make a plan to lower the risk of a breach, said Lindsey Whinnery, a Utah-based partner at cybersecurity firm Traina & Associates.

“You can’t protect things that you don’t know you have,” said Joel Lanz, a New York-based CPA and IT risk management consultant.

Risks vary across a firm’s service lines, said Yigal Rechtman, a partner with the privacy and IT compliance consulting firm RSZ Forensic Associates in New York. For example, tax accountants may collect Social Security and bank account numbers, while audit services keeps a list of a company employees. The risk of a breach increases based on factors such as how long and how much information is stored, along with other factors, Rechtman said.

The GDPR law requires that companies retain data “no longer than is necessary.”

Appoint Leaders

Accounting firms need to establish policies on how data will be acquired, stored, and deleted, and then they need to enforce them, Lanz said. Individual violations can threaten security, such as when an employee downloads customer data to their laptop to speed up workflow, Lanz said.

The GDPR also calls for firms to appoint a data protection officer, or someone to manage compliance with the set of privacy rules. PricewaterhouseCoopers LLP has a dedicated data protection officer and team in the U.K., said Jenny Etherton, the firm’s London-based GDPR program director. One of the group’s tasks is training employees on data protection, Etherton said.

At RSM UK Group LLP and the U.K. operations of Ernst & Young LLP, legal counsel leads GDPR compliance, meaning those firms are treating it as a legal, and not an IT, challenge.

For a smaller firm, picking an IT or office manager for the position is the wrong move, Lanz said, because they may not have the authority to enforce a firm’s data policy.

“This is something they have to own and they have to direct, govern, manage as critical as anything else,” Lanz said.

Evaluate Vendors

CPA firms, especially small firms, often outsource tasks that aren’t part of their core business. These vendors—such as providers of file-sharing services—need to comply with the EU law, too, because they may have access to client information, Whinnery said.

Accounting firms should review their vendor agreements for GDPR compliance language, Whinnery said.

Vendor compliance comes into play with the law’s breach disclosure rule, which calls for companies to report a data breach within 72 hours. If an accounting firm’s contract with a vendor states it has two weeks to report a breach, for example, the firm will miss the deadline, Lanz said.

There are temporary workarounds for firms using a vendor that isn’t GDPR-compliant: A firm could use a code instead of a client’s real name, although this should be a last resort, Lanz said.

Accounting firms with vendors that aren’t GDPR compliant should consider other options, Whinnery said.

The New Normal

The EU hasn’t yet fined a business for violating the GDPR. However, compliance will raise the costs of business in the EU, affecting smaller firms that may not be able to afford to comply, Rechtman said.

California passed its privacy law on June 28, which will take effect in 2020. The law gives Californians the right to opt out of the sale of their personal information, the ability to have their data deleted, and a right to know what information has been collected, Bloomberg Law reported.

Accounting firms should keep an eye on the California law, Whinnery said, because it signals additional state or federal regulations may be on the horizon.

In the meantime, accounting firms should also train their front-facing staff, like receptionists, to handle customer data requests, including GDPR-related inquiries. A receptionist should know who to contact when a client asks the firm to delete the client’s financial statements, for example.

“This is the new normal, so why not start preparing now?” Whinnery said.

With assistance from Michael Kapoor in London.

To contact the reporter on this story: Courtney Rozen at crozen@bloombergtax.com

To contact the editor responsible for this story: S. Ali Sartipzadeh at asartipzadeh@bloombergtax.com

Copyright © 2018 Tax Management Inc. All Rights Reserved.

Request Financial Accounting