Information Commissioner's Office calls for accountants to play their role in SMEs data protection compliance

• Regulator publishes key questions for accountants to ask SME clients to ensure they get data protection compliance right.

The ICO is calling on UK accountants to recognise the crucial role they play in helping their SME clients have the right data protection practises in place from the day their business is established.

Research* carried out by the UK regulator showed that over a third (34%) of SMEs trust their accountants for advice and a fifth (20%) actively use theirs to keep them up to date on data protection and GDPR.

Data protection law sets out what businesses should do to make sure they are looking after people’s personal information properly and fairly. In addition to the legal requirement, good data protection makes economic sense. It saves business owners time and money and shows customers their information is being treated correctly.

The ICO has an array of free resources for SMEs, providing advice and guidance for on data protection, electronic marketing and freedom of information on its dedicated SME hub.

The ICO has listed seven key questions for accountants to ask their SME clients about their data protection compliance.

1. How much does your client know about data protection compliance and the ICO? Establishing a client’s level of knowledge is a useful place to start. Have they heard of the legislation and have they given any thought to how they will apply it to their own business?
   
   Are they aware of the work of the ICO? Encouraging them to register with us as soon as possible will mean they are aware of our free resources in the early days of setting up their business.
   
   The ICO also writes to all new businesses that register with Companies House. Some business owners aren’t expecting a letter and think it is part of a scam. You can reassure your client that the ICO is here to help and encourage them to check in with us regularly to access the free resources available on our website.
2. What types of personal information will they collect on a day-to-day basis? Ask your client to make a list of the personal information they already have or are likely to be collecting as part of their business operations – they will need to account for it all.
3. Encourage them to ask ‘why’ they are holding this personal information? If they’re holding or using people’s personal information, it must always be fair, as well as lawful. This means they should only use their data in ways they’d reasonably expect. For example, if they haven’t been open about how they’ve got someone’s personal information, then everything they do with it after this (whether they think it’s lawful or not) is unlikely to be fair.
4. What security measures do they have in place? Check their security lines up with the sensitivity of the information they hold. Clients should put stronger measures in place if the data poses a higher risk or is sensitive.
5. Do they have a privacy notice? It’s essential to tell people: why you hold information about them; what you'll do with it; and how long you'll keep it before safely disposing of it. This should be recorded in a privacy notice – the ICO has a handy template for SMEs to use. This can go on a client’s website or if they don’t have one, in paper form.
6. Do they know what a subject access request (SAR) is? Customers and the general public have the legal right to ask your client what personal information they hold about them. Use our step-by-step guide on how to deal with a subject access request.
7. Do they know what to do if their business has a personal data breach? A data breach action plan is essential. If they do have a personal data breach, they'll need to report it to the ICO, unless they're satisfied it's unlikely to result in a risk to the people affected. Check out our guide on how to respond to a personal data breach so your client knows what steps to take in an emergency.

“SMEs have a lot to think about when running a business and it’s natural that they rely on their professional network for guidance as they look to grow their business.

“Accountants are a key part of this network and it’s clear from our engagement with SMEs that many of them are reliant on their accountant to ensure their business dealings are compliant with data protection laws.

“We’re encouraging accountants across the UK to recognise the role they play and the value that they can add when it comes to offering peace of mind to clients running their own businesses.

“The ICO has lots of free resources, and we are here to empower all parties to unlock the value of the personal information that they hold. When processed and used responsibly personal data can help a business to grow and good data protection practices project positively on a company’s reputation.”

- Faye Spencer, Head of Business Services at the ICO

The ICO’s advice for accountants comes as the regulator completes a pilot programme with up to 60 SMEs from across the UK, in which they have been trialling a new self-assessment and development programme.

Named SME Data Essentials, it is aimed at empowering organisations to become better equipped to manage their own data compliance.

The pilot forms part of ICO25, the ICO’s new three-year strategic plan which details how the ICO will bring down the cost of compliance whilst enabling and supporting SMEs to invest, innovate and grow.

*Research carried out in 2021 with over 200 SMEs.