The Accounting Policy & Practice Report ® provides financial accounting policy makers, advisors, and practitioners with the latest news, expert insights, and guidance on emerging, evolving,...
U.S. accounting firms beware: The European Union’s new data privacy regulations may apply to you, too.
The General Data Protection Regulation, which took effect May 25, regulates how companies process personal data. Companies that reside in the EU, serve its residents, or monitor their behavior must comply. Potential violators could face a maximum penalty of 4 percent of global annual revenue or 20 million euros ($23.5 million), whichever is higher—steeper than under the EU’s 1995 Data Protection Directive.
For accounting firms, GDPR compliance isn’t a quick information technology fix. Firms may need to make system and personnel changes and must assess risk, appoint people, and evaluate vendors to comply.
They also must manage a growing number of other GDPR-like privacy regulations, such as a new California privacy law, and address any uncertainty about how the EU rules will be enforced.
“GDPR could become effectively a global standard,” said Stephen Bonner, cyber risk partner at Deloitte LLP in London.
Here’s what accounting firms need to know about GDPR:
The GDPR doesn’t just apply to multinational CPA firms with offices in the EU. Firms established outside the EU—that either serve the bloc’s residents or monitor their behavior—have to comply, too.
While Americans view the use of their personal information “as contractual and a matter of negotiation,” Europeans see it “as a matter of personal privacy,” Bonner said.
Small and mid-size firms that serve EU-based clients shouldn’t ignore GDPR because it might apply to them, said Donny Shimamoto, managing director of IntrapriseTechKnowlogies LLC, a Hawaii-based CPA firm that advises companies on risk management.
Firms that are subject to GDPR requirements should conduct a data protection impact assessment—a risk assessment—to determine what data they have and where it is located. From there, they can make a plan to lower the risk of a breach, said Lindsey Whinnery, a Utah-based partner at cybersecurity firm Traina & Associates.
“You can’t protect things that you don’t know you have,” said Joel Lanz, a New York-based CPA and IT risk management consultant.
Risks vary across a firm’s service lines, said Yigal Rechtman, a partner with the privacy and IT compliance consulting firm RSZ Forensic Associates in New York. For example, tax accountants may collect Social Security and bank account numbers, while audit services keeps a list of a company employees. The risk of a breach increases based on factors such as how long and how much information is stored, along with other factors, Rechtman said.
The GDPR law requires that companies retain data “no longer than is necessary.”
Accounting firms need to establish policies on how data will be acquired, stored, and deleted, and then they need to enforce them, Lanz said. Individual violations can threaten security, such as when an employee downloads customer data to their laptop to speed up workflow, Lanz said.
The GDPR also calls for firms to appoint a data protection officer, or someone to manage compliance with the set of privacy rules. PricewaterhouseCoopers LLP has a dedicated data protection officer and team in the U.K., said Jenny Etherton, the firm’s London-based GDPR program director. One of the group’s tasks is training employees on data protection, Etherton said.
At RSM UK Group LLP and the U.K. operations of Ernst & Young LLP, legal counsel leads GDPR compliance, meaning those firms are treating it as a legal, and not an IT, challenge.
For a smaller firm, picking an IT or office manager for the position is the wrong move, Lanz said, because they may not have the authority to enforce a firm’s data policy.
“This is something they have to own and they have to direct, govern, manage as critical as anything else,” Lanz said.
CPA firms, especially small firms, often outsource tasks that aren’t part of their core business. These vendors—such as providers of file-sharing services—need to comply with the EU law, too, because they may have access to client information, Whinnery said.
Accounting firms should review their vendor agreements for GDPR compliance language, Whinnery said.
Vendor compliance comes into play with the law’s breach disclosure rule, which calls for companies to report a data breach within 72 hours. If an accounting firm’s contract with a vendor states it has two weeks to report a breach, for example, the firm will miss the deadline, Lanz said.
There are temporary workarounds for firms using a vendor that isn’t GDPR-compliant: A firm could use a code instead of a client’s real name, although this should be a last resort, Lanz said.
Accounting firms with vendors that aren’t GDPR compliant should consider other options, Whinnery said.
The EU hasn’t yet fined a business for violating the GDPR. However, compliance will raise the costs of business in the EU, affecting smaller firms that may not be able to afford to comply, Rechtman said.
California passed its privacy law on June 28, which will take effect in 2020. The law gives Californians the right to opt out of the sale of their personal information, the ability to have their data deleted, and a right to know what information has been collected, Bloomberg Law reported.
Accounting firms should keep an eye on the California law, Whinnery said, because it signals additional state or federal regulations may be on the horizon.
In the meantime, accounting firms should also train their front-facing staff, like receptionists, to handle customer data requests, including GDPR-related inquiries. A receptionist should know who to contact when a client asks the firm to delete the client’s financial statements, for example.
“This is the new normal, so why not start preparing now?” Whinnery said.
With assistance from Michael Kapoor in London.
To contact the reporter on this story: Courtney Rozen at firstname.lastname@example.org
To contact the editor responsible for this story: S. Ali Sartipzadeh at email@example.com
Copyright © 2018 Tax Management Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)