ICAEW.com works better with JavaScript enabled.

Opportunities and risks follow ICO call for SME advice

Author: ICAEW Insights

Published: 20 Mar 2023

As the Information Commissioner’s Office urges accountants to help SME clients navigate data protection legislation, Matthew Wilkinson-Foster explains the opportunities and risks this presents.

In the modern world of accounting, accountants don’t just do accounts. Being a trusted adviser to business owners and offering guidance to clients across a broad range of key business areas helps build and maintain client relationships. 

Data protection and information security are subjects of concern to everyone. The financial costs to business of getting IT security wrong and falling foul of GDPR can be potentially huge, but it can also impact reputation and operations to such an extent that the company may be irretrievably damaged.

Accountancy firms will be aware of GDPR, data protection compliance and information security for their own data purposes. However, for any accountancy firm to rise to the challenge of offering this type of advice there are hurdles to overcome. 

Having a member of the team trained to give advice to clients in data protection and/or information security is a slightly different prospect to managing internal risks. This training will take time and will be an additional cost to the firm. 

The flipside is that it presents an opportunity for accountants to provide an enhanced service to their clients, one which they are often well placed to deliver; many have worked with their clients over several years and will have a good understanding of their business, control and reporting systems, including IT.

That knowledge and understanding will be much greater for audit clients – the recent introduction of ISA 315 extends the work auditors must do in terms of the identification of risks, including those associated with the firm’s use of IT.

The big question is whether the accountant or auditor has sufficient technical knowledge to identify and document strengths and weaknesses in their clients’ data protection systems and processes, and assess and draw conclusions upon the information collected. 

When a company is more engaged and an accountant or auditor is advising on data protection and information security, they must ensure that they are competent to undertake that piece of work.

There is risk both to the auditor and to the client if this work is not done well. 

A large proportion of SMEs simply don’t understand or even recognise the importance of data protection and information security. If they don’t recognise it, they won’t value it. Others may see data protection as something that will consume a lot of their time and so they don’t do anything about it.

A questionnaire could be used, but this is not just about ticking boxes on it; without sufficient specialist IT knowledge, firms may not pick up on all relevant points. There is a risk to reputational damage if the accountancy firm gives the incorrect advice and for that reason, it is imperative that staff members offering this advice are well trained and knowledgeable in data protection guidance and compliance.

For example, do you know how to deal with a Subject Access Request (SAR)? Do you know what a Data Breach action plan is or are you aware that you only have 72 hours to determine the cause, effect and impact of a data breach and how to report it if you are asked? Accountancy firms would probably need to offer this advice as an enhanced service outside the scope of accounts and audit.

However, it is important that you ensure your professional indemnity (PI) cover includes offering clients this type of advice. Not all PI cover is equal; providers will often not cover you and prohibit giving advice that is not strictly the main focus of your business. 

In addition, an SME may seek the advice as part of the available services from their accountancy firm and only half implement what they are advised. If this leads to a fine due to their handling of data, the SME may state that they were acting on the advice given to them by their accountants’ data protection offering. This can be mitigated with good record keeping and ensuring you have the correct PI cover.


Matthew Wilkinson-Foster is IT Director at Haines Watts in Wolverhampton

Discover more from ICAEW Insights

Insights showcases news, opinion, analysis, interviews and features on the profession with a focus on the key issues affecting accountancy and the world of business.

Accountancy Insights Podcast
Accountancy Insights Podcast

Hear a panel of guests dissect the latest headlines and provide expert analysis on the top stories from across the world of business, finance and accountancy.

Find out more
Daily summaries
Three yellow pins planted into a surface in a row
News in brief

Read ICAEW's daily summary of accountancy news from across the mainstream media and broader financing sector.

See more
A megaphone
Stay up to date

You can receive email update from ICAEW insights either daily, weekly or monthly, subscribe to whichever works for you.

Sign up