General Data Protection Regulation

General Data Protection Regulation ("GDPR") is a European mandate that went into effect on May 25, 2018. The regulation is designed to establish uniform data privacy law across the European Union, and applies to any EU established business, including U.S. companies and firms with offices in the EU.

It is critical to recognize that GDPR does have implications to U.S. CPA firms, even if the firm does not have an EU office. Reference the following scenarios:
  • The firm offers services to clients ("natural persons" or "individuals") in the EU.
  • The firm has personal information about “natural persons” or “individuals” in the EU.

If your firm falls into one or both of the above scenarios, you are subject to compliance with GDPR regardless of the size of your firm, or the nature of your services.

GDPR is aimed at protecting the processing of personal data of any EU individual. Processing is defined broadly to include virtually any activity that can be performed to personal data, including collecting, using, storing, sharing or transmitting personal data. GDPR defines personal data as essentially anything that can be used to identify a natural person.

Therefore, if your firm is currently performing services that involve personal data of an EU individual, or has any personal information about an EU individual in its email, document management, or marketing or contact databases, your firm may be subject to GDPR. Penalties for non-compliance with GDPR are potentially significant. If GDPR applies to your firm, and you have not already taken the necessary steps to ensure compliance, it is critically important to begin the process immediately.

Identify and map your data flows and identify if and where the firm stores any personal data of EU individuals. Once you have identified and gathered this information, it will be essential to take the necessary steps to ensure compliance with the obligations imposed by GDPR.

At a high level, GDPR compliance for a CPA firm typically includes the following elements, although this list is not meant to be all inclusive:
  • Ensure awareness within your firm
  • Inventory the personal data and information you hold within your firm (this should include identifying how you use the personal information and for what purpose)
  • Communicate privacy information to affected individuals
  • Address the firm’s compliance with the privacy rights1 of the individuals to include the following specific elements:
    • The right of access to obtain a copy of the information
    • The right to correct the information
    • The right to have information deleted
    • The right to restrict how a firm uses the information
    • The right to data portability
    • The right to object to stop a firm from using information for a particular purpose
  • Ensure procedures exist for getting required consents2
  • Prepare for data breaches
  • Implement technical and administration measures for data and privacy protection

GDPR requires extensive recordkeeping and documentation to demonstrate compliance with its requirements. As the information provided above is general in nature, it is not intended to address all aspects of GDPR compliance that may impact your firm. CAMICO strongly encourages firms to seek help from qualified legal professionals to address any exposures your firm may have with respect to GDPR compliance.

What’s Next on the Horizon?

It did not take long for "GDPR lite" to come to the United States. California is the first state, although presumably not the last, to push forward a privacy initiative. California signed into law on June 28, 2018, the Consumer Privacy Act ("AB 375" or "Act"), which becomes effective January 1, 2020. It will inevitably require fine-tuning, as some critics of the legislation have deemed it overly complicated, poorly drafted and constitutionally problematic.

The California Act provides that a "consumer" (defined as a natural person who is a California resident) has a right to know what "personal information" businesses collect about them. (Personal information under the Act is defined more broadly than GDPR, which is problematic.) Further, it will require businesses to notify California consumers of the categories of information the businesses collect and will prohibit businesses from collecting additional information without further disclosure.

CPA firms doing business in California that meet the applicable thresholds for compliance with the new privacy law should begin to prepare early to implement appropriate compliance measures to meet the requirements of the Act.

For CPA firms that have already adopted GDPR compliance, measures need to be taken to ensure that the firm also conforms with the requirements of the California privacy law, as the Act defines personal information more broadly than GDPR and mandates several compliance requirements not imposed by GDPR. In addition, there are also variations in the limitations and exceptions to the privacy rights granted by the California Act, as compared to GDPR.

Risk Management Guidance

A CPA firm's compliance with applicable data and privacy laws, including but not limited to GDPR, is an extremely complex and organization-specific initiative. CAMICO strongly encourages firms to engage legally qualified professionals to discuss how GDPR, and other data and privacy protection laws, may apply to your firm and how best to comply. CAMICO further encourages firms to DOCUMENT all time, money, research, risk assessments, and other steps and decisions taken by the firm to achieve compliance. This documentation will help to support the firm’s good faith efforts toward compliance and accountability in the event it is ever challenged by a regulatory body.

For illustrative purposes, CAMICO developed sample engagement letter language regarding a firm's compliance with applicable data and privacy protection laws. This sample engagement letter language, titled "Engagement Letter Guidance — GDPR," is available to download from the CAMICO Members-Only Site under Knowledge Tree —> CAMICO Publications —> IMPACT —> 2018 —> IMPACT 113, or from the Engagement Letter Resource Center in the "Other Services Letters" section. As an aside, CAMICO has also received calls from policyholders concerned that their clients may allege that the firm should somehow be responsible for advising them with respect to the clients' privacy and/or GDPR compliance issues. If your firm is concerned about this potential risk, please consider inserting the language below in your engagement letters.

Management is responsible for the design, implementation and administration of appropriate data and privacy protection safeguards and policies that may be required under the laws and regulations applicable to its business. As [Firm] is not rendering any legal services as part of our engagement, we will not be responsible for advising you with respect to the legal or regulatory aspects of your company's compliance with any data and privacy protections laws, including but not limited to the General Data Protection Regulation Act.

The preceding language is also available in the "Engagement Letter Guidance — GDPR" document, as noted above. CAMICO policyholders with questions regarding this communication or other risk management questions should contact the Loss Prevention department at lp@camico.com, or call our advice hotline at 800.652.1772 and ask to speak with a Loss Prevention Specialist.



1 A firm should be cautious as they address the privacy rights of an individual to ensure that the firm's efforts to protect the rights of an individual do not adversely affect the rights of others. In addition, a firm should not jeopardize their own compliance with professional standards. For example, the right to “erasure” needs to be clarified within the firm’s privacy policy to allow the firm the right to retain such information it deems necessary under professional standards to support its work products.

2 A firm should ensure that the procedures related to consent under GDPR also include reference to, and compliance with, all applicable professional and regulatory standards. For example, the IRS has very specific written consent requirements that need to be complied with when the firm transfers confidential client tax information to a third party (even if the client is requesting the transfer).

Share this post

Latest Articles