On May 25, 2018, the General Data Protection Regulation (“GDPR”) became effective in all European Union (“EU”) member states. While GDPR clearly applies to businesses physically located in the EU, for businesses in the United States (“U.S.”), the applicability of GDPR is less clear.
CPA firms hold a large volume of confidential client and personally identifiable information, making them a target for cyber criminals. Much has been published about the risks and associated costs when firms fail to comply with state breach notification statutes and the AICPA Code of Professional Conduct relating to unauthorized disclosure of confidential client data. However, GDPR presents a host of additional accountabilities that firms must address when engaging in certain activities. The first question to consider is, “Does GDPR apply to your practice?”
Application of GDPR
GDPR focuses on protecting the rights of “data subjects,” or the natural person in question, when certain information is processed by a third party, such as a CPA firm. So, while the regulation certainly applies to businesses in the EU that process EU residents’ data, it also applies to CPA firms outside of the EU in certain circumstances. This extra-territorial scope of GDPR is limited to controllers or processors of data (as defined by GDPR and explained later in this article) who either 1) offer goods or services in the EU or 2) actively monitor natural persons’ behaviors while those individuals are in the EU.
So how might this extra-territorial scope of GDPR extend to a U.S.-based CPA firm? GDPR generally does not apply to U.S. firms that do not actively market themselves to potential EU clients or actively monitor the behavior of EU residents. However, consider a firm that receives personal data of an EU resident who happens to file a U.S. tax return. In general, GDPR likely does not apply because the firm is not actively engaged in offering services in the EU and/or is not actively monitoring the individual’s behavior.
But consider the following: What if the firm begins to actively market its services through its website to U.S. expatriates living in the EU? What if a CPA firm actively markets services to high net worth individuals who have seasonally relocated to the EU and the firm accepts payment in Euros for the client’s convenience? What if the firm markets audit services to multi-national companies through its website, which is translatable into various EU dominant languages, and routinely communicates with EU-based subsidiaries of U.S. companies? CPA firms in these scenarios are likely to be subject to GDPR’s requirements.
There are questions a firm should ask to determine if it is within the scope of GDPR.
- Does the firm have a physical or digital presence in the EU that collects, transmits, or processes personal data?
- Does the firm offer services to individuals in the EU? This means more than just having a website accessible in the EU.
- Does the firm target EU customers by offering services (physical or digital, paid or free) in their language or by accepting Euros as payment?
- Does the firm track or monitor EU individuals — meaning collecting data on EU individuals to monitor or profile them?
If the firm answers yes to any of these questions, GDPR applies.
Some GDPR fundamentals
First, it is important to understand that GDPR takes a fundamentally different approach to privacy as compared to current systems across the world. Under GDPR, data subjects continue to own their data even though a business may have collected it. Some parts of the regulation provide very specific duties and requirements while others expressly grant rights to data subjects which, in turn, impose less clear obligations on those processing the data.
Understanding how GDPR defines “data controllers” and “data processors” is important. A data controller is a person, agency or business that makes key decisions as to what data is collected and how it is processed. A data processor has the primary duty to comply with the provisions of its contract with a data controller on when and how data is to be processed. Thus, compliance with GDPR resides primarily with the data controller. It is expected that CPA firms are more likely to be data controllers with respect to their clients’ data.
A good resource to learn more about compliance with GDPR is the Information Commissioners Office (“ICO”) in the United Kingdom, an independent authority that enforces information rights and data privacy for individuals. Its website offers several data protection self-assessment toolkits on the topics of controller and processor accountabilities, information security, records management and data sharing, among other topics. In addition, legal counsel or a specialized vendor can help evaluate the firm’s processes against the requirements of GDPR.
Enhancing data privacy workflows
At first glance, U.S.-based CPA firms may think that GDPR does not apply to them. However, being dismissive of GDPR is shortsighted. Legislation addressing data privacy and security is quickly becoming the new normal. Indeed, California recently enacted legislation which adopts many GDPR-type accountabilities. In addition, Canada, Japan, China and Korea have developed or are developing data protection laws similar to GDPR. In other words, even if CPA firms do not have to comply with GDPR now, it is becoming increasingly likely they will need to comply with something similar in the future.
Regardless of whether a CPA firm must comply with GDPR, there are risk management practices regarding data privacy that simply make good business sense in bringing CPA firm practices further into the modern digital age. Consider the following:
- Update engagement letters to include a consent-to-process provision or a “legitimate interests” notification. The ICO provides a wealth of information related to this topic.
- Enhance internal document management processes including those related to data collection, processing and destruction to be able to respond to the rights of consumers as recognized by GDPR.
- Ensure appropriate technical measures are in place to provide adequate data security. GDPR does not provide specific information technology recommendations but rather recognizes the latest technology available and balances the use of those products with the cost of implementation given the type and nature of data stored.
- Develop a data breach response plan to mitigate potential damages in the event of a breach. Obligations in the event of a data breach vary widely across the U.S. and in relation to GDPR. Consultation with legal counsel is recommended to ensure a firm’s data breach response plan complies with applicable notification obligations. Check out PCPS’ HACKED! Building defenses against and responses to intrusion resource to learn more about developing a response plan.
GDPR represents a watershed moment in the recognition of personal rights to privacy and identity. While it will take effort and likely the assistance of outside counsel or a specialized vendor, compliance with the requirements of GDPR is not an insurmountable task. Regardless of whether GDPR applies to a domestic CPA firm, it provides an opportunity for all firms to engage in introspection of their current data collection, processing and storage practices.
By Nick Graf, ARM, CISSP, CEH and Michael Barrett, Esq. Nick is a Risk Control Assistant Vice President for Information Technology at CNA. Michaelis a Risk Control Director at CNA. For more information about this article, contact firstname.lastname@example.org.
Continental Casualty Co., one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. Aon Insurance Services, the National Program Administrator for the AICPA Professional Liability Program, is available at 800-221-3023 or visit www.cpai.com.
This information is produced and presented by CNA, which is solely responsible for its content. The purpose of this article is to provide information, rather than advice or opinion. It is accurate to the best of the authors’ knowledge as of the date of the article. Accordingly, this article should not be viewed as a substitute for the guidance and recommendations of a retained professional. In addition, CNA does not endorse any coverages, systems, processes or protocols addressed herein unless they are produced or created by CNA. CNA recommends consultation with competent legal counsel and/or other professional advisors before applying this material in any particular factual situations. Any references to non-CNA Web sites are provided solely for convenience, and CNA disclaims any responsibility with respect to such Web sites. To the extent this article contains any examples, please note that they are for illustrative purposes only and any similarity to actual individuals, entities, places or situations is unintentional and purely coincidental. In addition, any examples are not intended to establish any standards of care, to serve as legal advice appropriate for any particular factual situations, or to provide an acknowledgement that any given factual situation is covered under any CNA insurance policy. Please remember that only the relevant insurance policy can provide the actual terms, coverages, amounts, conditions and exclusions for an insured. All CNA products and services may not be available in all states and may be subject to change without notice. CNA" is a registered trademark of CNA Financial Corporation. Certain CNA Financial Corporation subsidiaries use the "CNA" trademark in connection with insurance underwriting and claims activities. Copyright © 2018 CNA. All rights reserved.