CPAs have access to their client’s data, but are they sure it is being protected, and do they need all the data they have access to?

 

In a special episode hosted by LumiQ, Garth Sheriff of Sheriff Consulting was joined by Malik Datardina, Governance, Risk and Compliance Strategist at Auvenir, to discuss data privacy. Their podcast examines what CPAs should know about which information to request, and how to properly collect and dispose of it after the engagement has been completed.

 

If you have not had a chance to listen to the podcast yet, here is a quick recap of four ideas all CPAs should be aware of about data privacy and professional ethics.

 

1. Privacy is a natural fit for CPAs

Why should CPAs and CPA firms be interested in learning more about data privacy? In the podcast, Malik reminds listeners that, “…the issue of privacy is more and more important to overall consciousness of society.” The global trend of individuals becoming increasingly concerned about how data is being stored and used by private entities has also trickled into how CPAs and firms handle private data.

 

For CPAs and CPA firms, their entire profession depends on how confidential client data is handled, and consequently, the importance of data security for accountants and firms is one of the top priorities. Data security has become a huge component that establishes the trustworthiness and integrity of accountants and accounting firms.

 

CPAs should collaborate with businesses to ensure data is being encrypted, to prevent data breaches, and CPAs must work with their clients to deal with data privacy concerns and increase transparency about how information is being handled by the firm.

 

2. Know the difference between confidential and private information

So, what’s the big difference anyway? In the episode, Garth asks what information do CPAs often take for granted when collecting data?  Often the terms ‘confidentiality’ and ‘privacy’ are used interchangeably regarding information collection, however, as Malik explains, they are two distinct terms.

 

To clarify, confidential information is governed by the agreement between the firm and the client, whereas private information goes beyond the agreement with the client. CPA Ontario has recently published this on the confidentiality side of things.

 

A key takeaway is that protecting privacy can be much more challenging than protecting confidentiality. To protect data privacy, it is important to look at the meaning of the information, not just the content. As transformational technology keeps emerging and evolving, all CPAs and firms need to pay attention to how private and confidential information is being captured and stored.

 

3. Ensure your firm has a privacy policy for the collected information

Should CPAs and firms have a data privacy policy for the information that they collect? A theme that came up frequently during the episode was the advantage of having a privacy policy. Having a privacy policy allows CPAs to think through the process of collecting, storing, and disposing of information collection. Creating a privacy policy allows CPAs to communicate and address any privacy concerns their client may have during an engagement.

 

In addition, there are Generally Accepted Privacy Principles, which include things such as security, disclosure to third parties, and monitoring and enforcement when it comes to privacy policies. The full list is available here.

 

During the podcast, Malik emphasizes the importance of notice, choice, and consent with clients, and how privacy policies provide clients with the opportunity to consent to how the firm will be using the data. Having a privacy policy covers a lot of ground when it comes to compliance.  

 

4. CPAs and firms should seek guidance for data privacy

In the episode, Malik illustrates why CPAs could be exposed to potential litigation if they are not compliant and aware of data privacy best practices. There has been increasing pressure for companies to respect individual’s data privacy, and firms need to do their due diligence and get an understanding of how to ensure data is private and protected to remain compliant with applicable laws.

 

The benefit of legislation like the General Data Protection Regulation (GDPR) is that it has increased the awareness of data privacy among CPAs and society at large. Ultimately CPAs need to be able to identify any applicable legislation related to data privacy, including the GDPR. That being said, if firms are actively operating in the EU, they should consult privacy or legal professionals who can help provide guidance on how to proceed in the EU or other places the firm operates.

 

Discover more about “Data Privacy and Professional Ethics!”

If you’re interested in hearing more about how having a data policy in place can lead to an efficient engagement, listen to the full recording of LumiQ’s podcast on ‘Data Privacy and Professional Ethics’ here.