On 22-Feb-23, the UK Data Protection regulator (the Information Commissioner’s Office) issued a post discussing the role of accountants in ensuring data protection compliance within small and medium-sized enterprises (SMEs).

The article states that accountants often have access to sensitive financial and personal data and, as such, can play a vital role in advising SMEs on data protection compliance. The Information Commissioner’s Office (ICO) is calling on accountants to help raise awareness of the importance of data protection and to assist SMEs in implementing appropriate measures to safeguard personal information.

7 Key Questions For Accountants To Ask Their SME Clients

  • 1

    How much does your client know about data protection compliance and the ICO? Establishing a client’s level of knowledge is a useful place to start. Have they heard of the legislation and have they given any thought to how they will apply it to their own business?

  • 2

    What types of personal information will they collect on a day-to-day basis? Ask your client to make a list of the personal information they already have or are likely to be collecting as part of their business operations – they will need to account for it all.

  • 3

    Encourage them to ask ‘why’ they are holding this personal information? If they’re holding or using people’s personal information, it must always be fair, as well as lawful. This means they should only use their data in ways they’d reasonably expect. For example, if they haven’t been open about how they’ve got someone’s personal information, then everything they do with it after this (whether they think it’s lawful or not) is unlikely to be fair.

  • 4

    What security measures do they have in place? Check their security lines up with the sensitivity of the information they hold. Clients should put stronger measures in place if the data poses a higher risk or is sensitive.

  • 5

    Do they have a privacy notice? It’s essential to tell people: why you hold information about them; what you’ll do with it; and how long you’ll keep it before safely disposing of it. This should be recorded in a privacy notice – the ICO has a handy template for SMEs to use. This can go on a client’s website or if they don’t have one, in paper form.

  • 6

    Do they know what a subject access request (SAR) is? Customers and the general public have the legal right to ask your client what personal information they hold about them. Use our step-by-step guide on how to deal with a subject access request.

  • 7

    Do they know what to do if their business has a personal data breach? A data breach action plan is essential. If they do have a personal data breach, they’ll need to report it to the ICO, unless they’re satisfied it’s unlikely to result in a risk to the people affected. Check out our guide on how to respond to a personal data breach so your client knows what steps to take in an emergency.