What should the protection of personal data look like in accounting offices?
Although the General Data Protection Regulation (GDPR) has been in force for some time (May 25, 2018), the issue of data protection still raises many doubts. What do owners of accounting offices who are just starting their business have to remember in this respect? When is an accounting office an administrator and an entity processing personal data? We check what the protection of personal data should look like in accounting offices.
Personal data protection in accounting offices
The activity of accounting offices consists in keeping accounting books entrusted by clients or simplified accounting on the KPiR or lump sum basis. Some offices offer comprehensive services and also handle HR and payroll matters, thus gaining access to sensitive data, e.g. medical records.
In order to provide efficient service to its clients, an accounting office may employ, for example, professional staff, and thus act as an employer. Then it plays a double role - as:
Personal Data Administrator (ADO). The accounting office in the role of personal data administrator is, among others, when it employs employees and processes their personal data.
Entity processing personal data (processor). Accounting office employees work with documents provided by the client, i.e. invoices or contracts, which may contain personal data. Therefore, the accounting office processes personal data.
As a result, even an accounting office that does not employ employees must ensure that the personal data entrusted to it is properly protected. This, in turn, is associated with the need to sign appropriate contracts with customers and implement security - so that the data really remains safe.
What are the duties of an accounting office as a personal data administrator?
The accounting office as a data administrator has specific duties. This is related to granting natural persons, inter alia, the right to access their data. As a result, employees of the accounting office (regardless of the type of contract signed) and entrepreneurs conducting sole proprietorship (natural persons) have the right to:
request the administrator to correct the personal data that is incorrect (Article 16 of the GDPR);
to delete data (the so-called right to be forgotten). The administrator is obliged to delete personal data if they are no longer necessary for the purposes for which they were collected (Article 17 of the GDPR);
to limit the processing of personal data. This right is granted, inter alia, to in a situation where the processing of data is unlawful, but the data subject opposes their removal (Article 18 of the GDPR).
In order to be able to submit one of the above requests, the natural person must be informed, inter alia, about who is the data controller. For accounting offices - as personal data administrators - this means fulfillment of the information obligation. What is the implementation of such an obligation in practice?
As a rule, accounting offices prepare a document that they hand over to natural persons, starting cooperation with them. From such a document, e.g. a future employee can find out who is the data controller and learn about their rights.
Why should an accounting office sign a personal data processing agreement?
A separate issue is the processing of personal data entrusted by clients by employees of the accounting office. A few years ago, people authorized by the accounting office to conclude contracts with companies only signed an agreement to entrust, for example, a tax book of revenues and expenses. Today it is not enough - it is still necessary to sign a data entrustment agreement.
GDPR (or more precisely, art. 28) indicates what data must be included in the contract for entrusting the processing of personal data - these are:
processor and controller. Parties entering into a data entrustment agreement should be indicated;
subject of processing - in this case, the subject of processing is closely related to the contract concluded between the parties;
processing time. As a rule, it coincides with the duration of the contract;
the nature and purpose of the processing. Specify, inter alia, frequency and indicate why the processor will process the data;
type of personal data and categories of data subjects. This is, for example, about ordinary data or sensitive data;
administrator duties and rights. At this point, it is necessary to specify, inter alia, the basic obligation of the administrator, i.e. the method of data transfer.
Due to the freedom of contracts in force in Poland, the parties may also include other provisions important to them in the content of the document.
What organizational and technical security measures should an accounting office implement?
The processing of employee data or data obtained by customers raises a right question about their security. In this case, the GDPR only sets the direction, while the decision to implement specific measures is at the discretion of those managing the organization processing personal data. The most important thing is that these safeguards are effective. As standard, it is used:
organizational security. These are all kinds of instructions and procedures that employees follow. Compliance with them is to ensure that, for example, data will not be accidentally transferred into the hands of an unauthorized person;
technical security. This is the specific hardware and software an organization uses. For example, accounting offices will use both IT security (e.g. anti-virus programs, encryption keys) and shredders with an appropriate level of secrecy or lockable cabinets.
Modern accounting offices usually store data in various forms - both electronic and paper. As a result, it is necessary to apply various technical safeguards. In many offices, it is a standard that an external company specializing in IT supervises the protection of data in electronic form.
Since the weakest link in working with personal data is the human being, the accounting office can also organize systematic training for employees who have contact with customer documentation. It is worth taking care of an appropriate accounting system compliant with the GDPR, which will enable encrypted data transmission, securing access with two-step logging, or creating a backup copy of data stored on a second server.
Why can't an accounting office afford to downplay data protection?
The motivation to explore the issues related to the protection of personal data should not only be financial penalties (the penalty may amount to as much as EUR 20 million or 4% of the turnover) threatening entities that neglect their obligations in this regard. Clients of accounting offices are mainly economic entities that process personal data themselves and are aware of the functioning of the GDPR, so the protection of personal data in accounting offices is divided into several participants in this process.
Accounting offices that take personal data protection seriously can gain an advantage over their competitors. For customers using their offer, the price is often of secondary importance. Why? On the one hand, the services of accounting offices are cheaper than setting up an accounting department in the company, and on the other hand, they are entrusted with a sensitive area of activity - knowledge about finances and contacts. This, in turn, makes the quality of service, discretion and data security a priority.