The Information Commissioner’s Office (ICO) says UK accountants should recognise the crucial role they play in helping their SME clients establish the correct data protection practises from the day their business is established. Data protection law sets out what businesses should do to make sure they are looking after people’s personal information properly and fairly. 

Research carried out by the UK regulator in 2021 showed that more than a third (34%) of SMEs trust their accountants for advice and a fifth (20%) actively use theirs to keep them up to date on data protection and GDPR. 

“Highly regulated professionals, such as accountants, often have a better knowledge of the regulatory landscape as a whole to ensure their own and their clients’ compliance,” says Faye Spencer, Head of Business Services at the ICO. “However, we’re not asking accountants to be experts – that’s our job – but any mention of the ICO to their SME clients can be extremely useful to ensure they have knowledge of how we, too, can assist in their data compliance. 

“We know that about a fifth of the small businesses we surveyed already use their accountants as a source of data protection advice and we see this as a good example of small businesses working together to add value to each other.” 

However, Ian Pay, ICAEW’s Head of Data Analytics and Tech, warns that while the ICO’s call made sense on paper, it raised some significant challenges for smaller accountancy firms, particularly around resourcing and liability.

“Typically, smaller firms lack the resources and expertise of larger firms when it comes to advising on data protection, so may not be best placed to support businesses on these matters,” he says. “There’s a risk that, if a client suffers a breach and incorrect advice was provided, these firms could be held liable if non-compliance with data protection laws is identified.

“While accountants should be aware of the legal requirements around data protection and privacy, both for their clients and their own businesses, most are not data protection experts and are better placed to signpost their clients to the ICO guidance.

“Our members advise more than two million SMEs across the UK, so we’re keen to work more closely with the ICO to help it to communicate important data protection messages more effectively to businesses,” Pay says.

For those organisations that fall foul of the rules, the ICO can issue warnings, reprimands, enforcement notices or fines. However, the real cost of poor data protection practices is reputational damage.

“Our focus when it comes to SMEs – and, in fact, all businesses – is helping them to prevent breaches in the first place rather than taking action against them. Getting good data practices from the start will save organisations time and money and boost customer confidence and trust,” Spencer says. 

Helen de Felice, Lecturer in Accounting and Auditing at Henley Business School, says there are opportunities for accountants to conduct audits of SMEs’ data protection processes and procedures to highlight areas of non-compliance – but there will undoubtedly be some challenges that need to be considered and addressed.

“Advising SMEs on data protection law will involve the accountants needing to have their own experts in this field, with regular training to ensure that they stay abreast of regulation. However, this will be more efficient than each client trying to do this themselves,” she says.

Audit firms would need to ensure staff develop new skills, and would need to adapt audit procedures and processes to undertake this work, de Felice adds.

Caroline Plumb OBE, CEO at Gravita, says: “At a strategic level, I think there is a wider movement – especially in the US – to start thinking broadly about the ‘office of the CFO’, and many businesses are looking at how they can provide a wider range of services to clients. 

“Often, risk and compliance fall under a CFO remit so it makes sense that this is an area under consideration. Accountancy firms act as a highly trusted partner to the CFO so I can see why the data protection regulator would want them to take a role,” Plumb says.

Meanwhile, the government has announced the introduction of new data laws to cut down on what it describes as “pointless paperwork for businesses and reduce annoying cookie pop-ups”.

The Data Protection and Digital Information Bill, a UK version of the EU’s GDPR, is promising to reduce costs and burdens for British businesses and charities, remove barriers to international trade and cut the number of repetitive data collection pop-ups online.

It will also increase fines for nuisance calls and texts to be either up to 4% of global turnover or £17.5m, whichever is greater, and aims to reduce the number of consent pop-ups people see online, which allow websites to collect data about an individual’s visit. 

• The ICO’s SME hub produces free advice and guidance on data protection, electronic marketing and freedom of information. 

Seven key questions for accountants to ask SME clients about data protection compliance

How much do clients know about data protection compliance and the ICO? 

Have they heard of the legislation, and have they given any thought to how they will apply it to their own business?

What types of personal information will they collect on a day-to-day basis?

Ask your client to make a list of the personal information they already have or are likely to be collecting as part of their business operations – they will need to account for it all.

Encourage them to ask ‘why’ they are holding this personal information.

If SMEs are holding or using people’s personal information, it must always be fair, as well as lawful. For example, if they haven’t been open about how they’ve got someone’s personal information, then everything they do with it after this is unlikely to be fair.

What security measures do they have in place? 

Check their security lines up with the sensitivity of the information they hold. Clients should put stronger measures in place if the data poses a higher risk or is sensitive.

Do they have a privacy notice? 

You must tell people why you hold information about them, what you’ll do with it and how long you’ll keep it before safely disposing of it. This should be recorded in a privacy notice – the ICO has a template that can go on a client’s website or be used in paper form.

Do they know what a subject access request (SAR) is? 

Customers and the general public have the legal right to ask what personal information is being held about them. The ICO has produced a step-by-step guide on how to deal with an SAR.

Do they know what to do if their business has a personal data breach? 

A data breach action plan is essential. If they do have a personal data breach, they’ll need to report it to the ICO, unless they’re satisfied it’s unlikely to result in a risk to the people affected. The ICO’s guide on how to respond to a personal data breach explains what steps to take in an emergency.

Source: ICO