Skip to main content

What are my GDPR concerns when preparing for a monitoring visit?

Welcome to Query Of The Week

Welcome to this week’s Query Of The Week. Each week our technical team respond to a huge number of client queries and in this segment, we share with you the most common questions that keep coming up time and time again.

In this week’s Query Of The Week, Des O’Neill discusses takes a look at GDPR one year later as well talking you through a practical example which is happening to accountants around Ireland every day.

GDPR One Year On

If this Query Of The Week was of interest to you, you will also be interested in our GDPR One Year On webinar which is scheduled for Wednesday, 29 May 2019.

Date Wednesday, 29 May
CPD Allocation 1 Hour
Fee €38 (or 1 CPD Club point)
Presenter Des O’Neill – OmniPro
Category Audit


Query Of The Week – Video Transcript

(Please note that this is a direct unedited transcript of the spoken word as recorded on the video) 

Hi, I’m Des O’Neill. Thank you for joining me for this week’s Query of the Week.

This query is relevant to every accountancy firm in Ireland because this query is about GDPR. And for me it’s critical, we’re just coming up on the 12 month anniversary of GDPR and I am massively concerned about what’s happening.

Every day, every week we are seeing accountants who are struggling with GDPR having problems. At least once, if not twice a week we are seeing accountants who are breached.

And this week’s query arose when we were actually working with a client preparing for a monitoring visit and they mentioned in passing that they were having a little bit of an IT issue that was impacting on their monitoring visit preparations.

D’you know, and these types of IT issues, IT issues like ransomware, phishing, third-party data breaches are an ongoing problem.

So we were having a conversation about a monitoring visit and the question came to me then, the accountant said, “Well, this is what’s happened, “I’m after having a ransomware attack. “I’ve been in touch with my IT provider, “they say they’re solving the problem, “what should I do about it?”

And the real problem here was the IT provider told them that they didn’t really need to do anything. And that’s one of the issues with GDPR, there’s so much misinformation out there.

Like the answer to this question lies in the GDPR, the General Data Protection Regulations, which accountants have been operating under since May 2018. Where somebody has had a ransomware attack, they’ve had a breach.

The first step that they should take is that they should contact, they should contact their IT providers to assess the breach or the issue. So whether this is ransomware, whether this is a phishing attack, no matter what it is, to contact the IT providers to assess, well, what’s the breach, what’s happened, what’s the problem, what’s the extent of the issue?

Now we do have to be careful here, and I’m not in any way disparaging IT providers, but we’ve come across examples in the last 12 months where the IT providers have said, oh, there’s no problem here, there’s no issue when clearly there was an issue.

‘Cause the IT providers are kinda covering their own backside ’cause, like, how did the issue arise? Maybe they didn’t have things set up properly in the first place.

To assess the breach, work with your IT provider, but you need to ask some of the hard questions as to, well, what has happened here, what’s the risk and exposure? Could personal data be compromised? In this particular case the IT provider, despite the fact the ransomware basically froze the firm’s server, the IT provider said, “Well, actually there’s no, “there’s no possibility of a breach here.”

Of course, there is, if they’ve put ransomware on your server, there is a breach potentially. Having assessed the breach, I would suggest you notify the DPC. Now obviously the DPC, Data Protection Commissioner, they need to be notified within 72 hours.

Now what will happen with the Data Protection Commissioner is I would suggest you start with a phone call and say, well, here’s the issue, and then the Data Protection Commissioner will assess the situation and give some guidance.

So there is an opportunity here to not report breaches and not in every breach situation do you have to notify your customers, but the Data Protection Commissioner, the first thing they’re gonna tell you is to remedy the issue.

How did this issue arise? What steps have you taken in relation to GDPR in advance? And now, what steps do you need to take? And then it will come down to whether you have to communicate with your customers who’ve been affected or not.

Like, and this is the bit that accountants don’t really like and the bit that accountants don’t want to do. But the GDPR regulation is very, very clear in terms of the requirements in relation to reporting. And you see, for me, this particular query, so it opens up a whole myriad of issues, because I started asking the question, “Well, do you have a data privacy notice?”

And most firms would say to me, yeah, we’ve got a data privacy notice, but then I say, “But do you have the actual procedures in place?” Oh, well, what do you mean? We just, we took a template and put it in place.

The data privacy notice and not having the procedures in place, this is a bigger issue, this is a bigger pitfall. Having a data privacy notice, not having done the data mapping.

Like, one of the other big problems we see is letters of engagement were produced last year and given to accountants, telling them they had to sign up customers using letters of engagement, implying they’re data processors.

You’re not data processors, you’re data controllers. So the bottom line is, if you have a breach, step one, assess the breach, talk to your IT provider. If the breach is reportable, which they usually are, based on our experience, a lot of the breaches we’re seeing are reportable, notify the DPC.

The DPC will look at, well, what has happened and how’re we gonna remedy the issue and then the consideration is, do we communicate with our customers?

It’s about being data compliant. Like, you gotta watch your IT providers. Do they have, like, what are their requirements?

Do they have, do they have correct agreements in place? Do they have correct controls in place? So that’s this week’s query.

Now if any of this impacts on you, your customers, your business, we are running a webinar on this topic on the 29th May 2019 and this webinar’s called GDPR One Year On.

So if any of this query impacts on you, if GDPR is a concern and an issue for you, join us, go to cpdstore.com, you’ll be able to find the webinar and you will be able to book from there.

Now if you’re watching this query anywhere else other than KnowledgeHUB, KnowledgeHUB, the OmniPro KnowledgeHUB, well, d’you know, head on over to KnowledgeHUB.OmniPro.ie and you’ll see all our queries and Queries of the Week and you’ll be able to leave comments and ask questions.

And perhaps you could even submit a question to our next week’s Query of the Week video, which we’ll be able to answer for you. So from myself, Des O’Neill, and the OmniPro team, that’s our GDPR query this week.

Until I see you again, let’s get it done.