EU Data Protection and Ignition. Preparing your engagement letters for GDPR
1. An Overview of GDPR
By May 25th, 2018, any organisation that processes personal data of EU citizens needs to be compliant with GDPR. The GDPR (General Data Protection Regulation) replaces the Data Protection Directive 95/46/EC, incorporated in UK law by the Data Protection Act 1998 (DPA). The GDPR is not new legislation and retains the core rules and principles of the Data Protection Directive, but it is an overhaul of existing European Commission data protection legislation.
The aim of the GDPR is to unify the existing data protection laws and strengthen the security and protection of personal data in the EU. EU citizens are given new rights that profoundly impact the way IT are allowed to process and control personal data, which will give individuals back control of their personal information. Effectively, the GDPR gives more rights to the individual over their own personal data. Therefore, as a data processor (somebody who has access to that data), you must be aware of the rights of the individual and how to ensure the protective measures are in place.
There is a common misunderstanding that the GDPR requires all data to be stored within the EU, but this is not the case. Rather, the GDPR prevents data from being transferred outside of the EEA without adequate protection, thus organisations dealing with the personal data of EU citizens must be in compliance with EU privacy laws.
The GDPR applies to any individual or organisation doing business within the EU. As it commences on May 25th, 2018, EU individuals & organisations must ensure compliance with the updated legislation by then.
2. Why should I care about the GDPR?
The GDPR applies to any individual or organisation doing business within the EU, and all businesses will be held accountable for how they handle their data. Therefore, as a business owner it is imperative you understand your status and your responsibilities in terms of both client data and company data. At the very least your contracts with your suppliers and clients should be updated with the new requirements imposed by the GDPR.
While the below represents a few of the steps to take in order to get ready for GDPR, in this blog we will primarily focus on the need to review your contracts with your clients and updating your engagement letters accordingly. For you, the GDPR, could actually present an opportunity to review your existing client engagements, and update your engagement letters. With the end of Financial Year coming up, this is the perfect time to kill two birds with one stone:
- Earn more fees! With the “excuse” to update your engagement letters comes an opportunity to review your existing engagements, assess their current situation and review your fees accordingly.
- And, of course…. Update your General Terms & Conditions, replacing the “Data Protection” paragraphs with the new GDPR information. This will allow you to send out your updated letters of engagements to your entire client base, so that you can feel assured you are complying with the new regulations.
3. Do I need to update my letters of engagements (contracts) to be compliant with GDPR?
The simple answer is, yes. If you do not update your engagement letters, they will be outdated and refer to legislation that has been replaced. The GDPR overrides passed legislation, namely the Data Protection Act 1998. Thus, all engagement letters will have to be updated to inform clients that the GDPR is the applicable legislation. It is recommended that your engagement letters are amended prior to May 2018 to ensure they reflect the provisions under GDPR.
The ICO is currently reviewing their draft GDPR guidance on contracts and liabilities for controllers and processors. Once this has passed, the final version will be issued, and passed onto accounting bodies to issue their own guidance and pro forma clauses to include in engagement letters between the accountant/bookkeeper and their client. The model contract clauses will also act as a basis for transferring personal data outside the EEA.
The good news is, the ICO is not expecting every business to have all procedures in place on May 25th, 2018. However, it is required that every organisation has started a review and has a plan on how and when it will be GDPR compliant. A good place to start is reviewing and amending your client engagements.
4. Where do I get the updated terms reflecting GDPR?
The ICO is currently reviewing their draft GDPR guidance on contracts and liabilities for controllers and processors. Once this has passed, the final version will be issued, and passed onto accounting bodies to issue their own guidance and pro forma clauses to include in engagement letters between the accountant/bookkeeper and their client. The model contract clauses will also act as a basis for transferring personal data outside the EEA.
The good news is, the ICO is not expecting every business to have all procedures in place on May 25th, 2018. However, it is required that every organisation has started a review and has a plan on how and when it will be GDPR compliant. A good place to start is reviewing and amending your client engagements.
4. How do I update my letters of engagements (contracts) to be compliant with GDPR?
To get started, here are a few next steps we recommend you take to get ready:
1. Get in touch with your accounting body
Reach out to your accounting body (ICAEW, ACCA, HAT, AAT, ACCA, ATT, CIOT and STEP, etc.) and ask for updated letters of engagements, including the pro forma Data Protection paragraphs as per the GDPR. Currently, the majority of the accounting bodies, are working towards issuing updated engagement letter templates in early summer 2018, so the more they are approached, the more likely they are to speed up that process.
2. Undertake a Gap Analysis to establish where you are a data processor and data controller
A Gap Analysis can help you ensure that your policies comply with the GDPR. You can determine what data you process, whether it is necessary, where you process data, how you are filing it, and where current gaps are. Establishing where data is held allows you to track its movement across your current business processes so that you can locate and mitigate data layer security and access risks. This will be a key step in identifying whether you, as the Accountant, will be the data controller or data processor of any data you process under different contracts.
Accountancy firms, can be both the data processor and data controller in terms of their client and supplier relationships. One of the possible risks is not having the appropriate contracts in place with your clients, as well as your suppliers. It is therefore imperative you review any existing contracts to determine whether you are the data processor or data controller of any personal data processed under that contract.
Thus, there are two separate contracts that need reviewing under the GDPR, and which will ensure GDPR compliance:
- Contracts with your suppliers
- Contracts with your clients
Contracts with your Suppliers
The distinction between a data controller and data processor depends on who has access to and determines the purpose and way of processing personal data. A ‘data controller’ determines the purposes for which and the manner in which any personal data are, or are to be, processed. The processor processes the data on behalf of the controller. The processor has specific legal obligations to record data and process activities and will be liable for any breach. Any business is the Data Controller for its data, but if you use a third-party vendor in the processing of personal data, the vendor is a Data Processor.
According to the GDPR, whenever a data controller (the accountant) uses a processor (such as a cloud based accounting software vendor) it needs to have a written contract in place so that both parties understand their responsibilities and liabilities with regards to the personal data (ICO).
As a data controller, you will be held accountable if the systems you are using on behalf of and for your clients do not meet the GDPR standards. This means, you will need to have a written contract in place with any third party who is your data controller. You should contact your data processor providers and enquire as to whether or not they comply with the GDPR. This should be clearly set out in the data protection clause of your contract. To ensure they can provide ‘sufficient guarantees they will meet the GDPR requirements, you should ask them to provide you the following information:
- Steps taken to ensure the data stored by the processor remain secure and safe as per GDPR compliance guidelines.
- What security measures are in place to ensure security of data available on the processor
- A contract specifying the details of the processing, and which sets out the processor’s obligations, responsibilities and liabilities
Contracts with your Clients
As mentioned, when it comes to client relationships, the accountants can be both the data processor and the data controller. You are a data controller for the data you collect about your client on engagement (for example, to comply with Money Laundering regulation) and a data processor in relation to the data you manage on their behalf (for example, the personal data used to manage accounts).
Where you are the data processor, you must only act on the documented instructions of your client. Where you are the data controller, you must ensure any data processors are GDPR compliant. Nonetheless, both the data controller and processor must act in line with the Regulations.
A key provision in the GDPR, stipulates that the firm in control of processing the data (the accountant) must be transparent and provide accessible and clear information to clients about how they will use their personal data. Thus, where you are a data processor, the most common way to provide this information is in a privacy notice, which can be in the form of an engagement letter.
To ensure your engagement letters with your clients meet the GDPR requirements, it is recommended the following information is added:
- Update the Data Protection clauses, to reflect that the GDPR is the applicable legislation.
- Clarify and explain how you will obtain, use, process and disclose personal data provided by the client.
- Clarify the roles of both parties in respect of the personal data that is being processed.
- Ensure any data processors used in the firm are GDPR compliant, and add links to their terms and conditions.
- Privacy policy.
- Include data sharing-type provisions.
- Asking for consent, which is specific, granular, clear, prominent and opt-in.
By having a formal contract in place with with the required terms, your clients may be reassured that those handling their personal data are in compliance with the GDPR, and you will be able to to provide evidence that both parties are clear about their role in respect of the personal data
that is being processed.
Consent
Additionally, part of the reason it is necessary to update your letters of engagements and send out the updated versions to your existing clients is due to the fact that consent is subject to additional conditions under the new GDPR. If your firm relies on individuals’ consent to process their data, you need to make sure it will meet the GDPR standard.
According to the updated terms of the GDPR, consent must include a statement or affirmative action from the data subject, and inactivity, “consent implied by the user proceeding with the service, or general agreement to blanket terms of service agreement, do not meet the requirements of consent” under the GDPR (based on the GDPR clause "constitute an unambiguous indication of wishes").
To give your clients greater choice and control over how their personal data is used, consent must be specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. So, in your letters of engagements, this means that you must ask your clients for consent for each purpose for which their data will be used. For example, different consent for information used for marketing purposes, and different consent for data used for statistical analysis.
3. Once reviewed, Update your existing contracts and send off to be signed
Now that you have an understanding of the requirements for your contracts under the GDPR, the next step is to amend and update all your existing contracts with your suppliers and clients prior to May 25th, 2018.
As discussed, the GDPR mandates consent is specific to the data processing, requiring the data subject to make a statement or clear affirmative action. “Silence, pre-ticked boxes or inactivity should not constitute consent” (GDPR). Thus, it is not enough to simply update the contracts with the new terms, you must also obtain written consent to ensure your clients agree on your handling and processing of their data.
Once your existing client contracts are updated with the new GDPR compliant terms, the best practice is to inform your clients of the updated terms and send them their letter of engagement to be signed for consent.
4. Send email to update clients of changes as per the GDPR
We all know that getting signatures from clients is not always easy, therefore to ensure your clients are not blindsided by a new engagement letter in their email, it is recommended to send a bulk-email, informing them of the changes to come and how it will impact them. Here is the covering email that we suggest:
Dear “Client”,
As most of you are already aware, the new GDPR legislation will be in effect starting May 25th, 2018.
We have been working diligently on updating our policies, processes and cooperating with key third party vendors to implement the appropriate organisational and technical controls to ensure proper handling of your personal data in accordance with the GDPR. The aim is to give you back control of your own data so that you can feel confident that we will only act as per your instructions.
So, in order to remain GDPR compliant, we will be reissuing our letters of engagement on May 1st. The letters contain the new and updated clauses, specifying our responsibilities to you under GDPR.
We would most grateful if you could please review the updates, and sign the engagement letters if you consent.
Please do not hesitate to reach out if you have any questions regarding how GDPR will impact your business. We are here to help!
Best regards,
Accountant
5. What do I need to do next?
The important thing to remember is that the GDPR is an ongoing process. It is not enough to review your business, technical structures and policies only once. You must continuously be in contact with your suppliers, employees and clients to ensure GDPR compliance. In terms of your contracts with your clients, as a best practice, we recommend having annual engagements with your clients. The reason being that inactivity does not constitute consent from your clients.
Lastly, do not fret! The GDPR is an overhaul in rules, but not in approach to data protection. Accountants are used to data handling and adhering to strict processes, and there is a good chance you are already set up securely. So, use the changes to Data Protection as an opportunity to re-engage your clients, review your fees and continue to add value to your clients as their trusted adviser.
6. For Ignition Users...
This next section is primarily for Ignition users. Updating your existing engagement letters using Ignition is easy.
6.1 Will Ignition be GDPR Compliant?
We can confirm that Ignition will be GDPR compliant when it becomes enforceable on May 25th, 2018.
The scope of the GDPR extends to all foreign companies that process the data of EU residents, so Ignition is currently taking all the necessary steps across the entire business to ensure we will be ready. We are working with the relevant product teams and key third party vendors to implement the appropriate organisational and technical controls to ensure proper handling of personal data in accordance with the GDPR.
As we are currently taking all the necessary measures to be compliant, you can feel confident in continuing to use Ignition as we approach the deadline.
6.2 How do I update my letters of engagements within Ignition?
To make it as easy for you as possible, we have created some quick videos for you to gain an overview of how to easily update your letters of engagements within Ignition.
The first step is to change your letter of engagement templates to reflect the new terms:
Secondly, update your existing contracts with your clients using the adjust feature, to retain the audit trail and auto-remove any on-acceptance that have been invoiced.
Finally, double check that the updated GDPR terms have been included in the letter of engagement.
(Optional) Schedule a Meeting With Ignition
If you would like some more advice on how to update your letters of engagements with all your clients using Ignition, please do not worry - we are here to help.
Get in touch with your Account Manager who will assist you in updating all of your existing client engagements and run you through all the steps to make your contracts GDPR ready.
To schedule a meeting with Maria, UK Territory Manager, Click here: https://calendly.com/maria-17