Blog

13 May 2019

GDPR one year on: its impact on auditors and accountants? by Julia Bodnarova

Keeping our personal information private is a concern for us all. It’s been one year since the EU’s General Data Protection Regulation (GDPR) required all organisations processing data to review and adapt their documents and procedures. What the GDPR means in practice has been the topic of intense debate. In this blog, we aim to clarify what the GDPR means for auditors and accountants in their daily work.

For more in-depth information, see our position paper GDPR: implications for auditors.

Are auditors data controllers or data processors?

For statutory auditors, safeguarding their clients’ personal data is crucial, as their independent expert opinion provides trust to our financial infrastructure. In forming an opinion on companies’ financial statements, auditors process private data on a daily basis and therefore, must comply with the GDPR.

This is why statutory auditors need to identify which role they play under the new legislation: whether they are data processors or data controllers, as the responsibilities allocated to each role are different.

See the responsibilities for data controllers and data processors in our publication.

EU law requires auditors to be independent from their clients. This means that auditors determine why they need to use personal data and how this data is processed or stored. Because of this independence, auditors need to be considered data controllers under the GDPR.

In practice, this means that auditors need to set up a privacy policy to clarify their role and responsibilities as data controllers. They also need to notify their clients of this, by including a data protection clause in the engagement letter.

And how do accountants qualify under the GDPR?

When not performing statutory audits, accountants should analyse the service they provide to determine whether they function as a data processor or data controller. They can do this by asking themselves: “as service provider, do I have any control over the purposes and the means of processing these personal data?”

If the answer is “no”, accountants and accountancy firms are acting as a data processor. In this case, they are acting on behalf and under detailed instructions of the data controller. For example, when clients control what, why and how accountants can process their personal data.

When practitioners are acting as data processors, they are required to enter into a data processing agreement with their clients, which must comply with the strict requirements of article 28 of the GDPR. They also need to clarify whether they are acting as a data controller or a processor in the engagement letter’s data protection clause.

However, there is one major caveat to this: whenever practitioners detect a malpractice which they must report, they will always be acting independently as data controllers for this specific purpose.

In a nutshell

Check out our work on data privacy and GDPR.

Related content

PublicationGDPR: implications for auditors

6 December 2018

Stories from PracticeWorried about the GDPR? Call your accountant!

3 December 2018

BlogGetting your SME practice GDPR proof

25 January 2018

PublicationWhat do the new EU data protection rules mean for you?

24 April 2017

EventEarly Warning Europe Day

28 September 2021

UpdateSME Update

16 September 2021

Consultation responseEFRAG’s consultation paper – due process procedures for EU sustainability reporting standard-setting

14 September 2021

PublicationSMEs’ digital future

13 September 2021

Consultation responseEC’s consultation on fighting the use of shell entities and arrangements for tax purposes

31 August 2021

Consultation responseIAASB’s survey consultation: work plan for 2022‒2023

25 August 2021

NewsCall for dialogue: assessment of SMEs’ post-COVID financial health

19 July 2021

NewsNew Roadmap enhances EU Sustainable Finance Strategy

7 July 2021

Consultation responseFeedback on the Corporate Sustainability Reporting Directive proposal

1 July 2021

EventRoad to digital: How to support SMEs

16 June 2021

BlogSustainability risk management for SMEs: inaction is not an option

14 June 2021

UpdateSME Update

14 June 2021

Consultation responseFeedback statement: EU Taxonomy Article 8 Delegated act

3 June 2021

Stories from PracticeDigitalising the accountancy profession: what role for young professionals?

31 May 2021

Publication3-step sustainability assessment for SMEs

12 May 2021

PublicationAccountants – REACT now and help SMEs adapt to new VAT e-commerce rules

6 May 2021

EventFrom risks to resilience: benefits of intellectual property for your business

4 May 2021

EventWorking Together for the planet: Audit & Assurance of sustainability Information

29 April 2021

NewsAccountancy Europe: Future-proofing tax to make it green, digital and fair

26 April 2021

UpdateSME Update

22 April 2021

Sign up for our newsletter

* indicates required
Would you like to subscribe to our newsletter?
On which topics would you like to receive news?