A Checklist For Accounting Firm Data Protection

Data Protection

    Don't Miss Out

    Sign up for the weekly newsletter. Introducing you to the best insight of accounting, bookkeeping, startup and business news

    The constant ransomware attack or cybersecurity crimes alarm all businesses worldwide to take one step toward data protection. As data moves between clients and firms, protecting it in transit or on the devices accessing them is vital.

    The General Data Protection Regulation (GDPR) is the new privacy law that controls the leverage of personal data of employees, suppliers, clients, or other parties involved in the organisation. However, many business owners are still unaware of the policy and data protection measures.

    We’ll cover the following points in the blog post:

    What is personal data?

    Personal data is information that relates to a living individual and can be used to identify them directly or indirectly. It may include name, age, address, and contact details to technical data like IP address and cookie identifier.

    If the controller pseudonymises the information, de-identifies, or encrypts, yet the data identifies the person, it is personal data. But, if the information is rendered anonymous and no longer identifies an individual, it is not personal data.

    Personal data in accounting firms is the client’s and firm’s data. Both sets of information come under GDPR.

    Need an Accountant

    Work with a London-based accountant for tax, accounting, payroll, & EIS/ SEIS needs.

    Have a question? Call us on
    0203 900 3500
    Monday to Friday 9am – 7pm

    Checklist for data protection in accounting firms

    ●  Automatic screen lock
    Firms should facilitate automatic screen lock for their workstations when not in use for 5-10 mins to minimise authorised access to data and other applications on the computer.

    ●  Enforced password policy
    There should be a hardened password rule for every workstation in the accounting firm. For example, users must change their password at least four times a year or use a combination of characters and numbers to create a unique password. You can also use tools like password managers to generate unique and secure passwords.

    When an individual resigns from your firm, you must immediately terminate the employee’s network access and passwords.

    ●  Multi-factor authentication
    You can find the best accounting firm in the UK that uses multi-factor authentication tools to protect you from data breaches. These include two-factor authentication, physical security fob, and biometric scan.

    ●  Physical access security
    A workstation or tablet in an accounting firm contains client and firm data. A file server’s or these systems’ physical theft can trigger cyber security breaches. Therefore firms need to protect their assets. For example, they can use an unmarked, locked room for file servers and encrypted storage disks for workstations.

    There should be a unique code for each employee accessing the office, and the owner must disable them when access terminates.

    ●  Proper Data Asset Disposal
    You can use inventory tags in the firm to track your equipment and document acquisitions, assignments, and dispositions. Additionally, you destroy devices that may contain the client’s data and dispose of all physical documents containing data sent into storage.

    ●  Data mapping for protected data access
    It is crucial for accounting firms UK to know where all their clients’  data resides and limit user access to systems containing the data. That can be on internal servers, mobile devices, workstations or computers, backup systems, cloud applications, and USB or storage drives.

    ●  Updated operating systems
    Updating your operating system and critical workstation applications is essential to protect network systems from hackers.

    Additionally, you must regularly check the operating system equipment that comprises the network, like file servers, routers, or firewalls, are running on their current system updates.

    ●  Minimising administrative privileges
    The IT personnel in your firm must restrict administrator privileges from users and set a definite level of access required to complete their tasks. Hackers with administrative access privileges gain extra control over network resources.

    ●  Install anti-virus/malware application
    You must install proper anti-virus or security software in your firm’s file server, workstation, and mobile device. Also, ensure they automatically get updated and can actively scan for malware at a preset time.

    ●  Protected data backup
    Every firm needs to keep data backups to protect itself from lost or corrupted data and during the recovery of ransomware attempts.

    The IT team should review backup files regularly to check if the data backups are complete and accessible. They should encrypt all these backup data, including the ones going off-site through the internet or physical storage media.

    ●  Secure client transmission
    You must train employees to use encrypted email and other portal solutions to securely transfer files to and from customers.

    ●  Secure staff connection
    You must train all staff to verify secure connections to websites. The verified websites have a green peddler image and HTTPS in the web address bar.

    While working remotely, the team should utilise a virtual private network connection, and when working on a client-provided Wi-Fi access point, they must verify the SSID or password.

    ●  Hire potential employees
    A significant percentage of data breaching occurs with the help of internal personnel. Therefore, you must do a background check on every employee and contractor before giving them access to the firm network.

    ●  Review IT policies
    With the rapid growth of technology, firms need to update their IT/HR policies, including the security ramification of BYOD or Bring Your Own Device, social media, and the remote workplace. You need to review the policies at least once a year.

    ●  Security Education
    You must include data security training in the annual CPE curriculum of the firm. Owners need to provide a yearly update on IT policies and train staff on the current threats like ransomware, SMiShing, vishing, phishing, etc.

    Let your employees understand they shouldn’t entertain unsolicited support calls, provide login credentials to unknown people, or download a file without verifying the website.

    ●  Breach response plan
    You shouldn’t wait for a hacker to hack your data and then think of a cyber security incident response plan. Train your IT team on what they will do when they suspect a breach and the steps to verify and mitigate it.

    ●  Phishing training
    Educate your employees about the current phishing schemes and train them to respond to suspicious emails. Additionally, you must remind your staff not to click on any link or open an attachment within an email without verification.

    If questionable, they must notify the sender to review the email.

    ●  Hire cybersecurity expertise
    If your internal IT team doesn’t provide ongoing security support for clients, then the possibility of providing an optimum cybersecurity expertise is minimal.

    Therefore, you can hire a cyber security expert externally to protect your firm by reviewing the network security, taking preventive measures, and monitoring the ongoing system.

    ●  Cybersecurity insurance
    Accounting firms adopt new security measures but may not be immune to new hacker threats. So it is good to review your insurance policy and check how much it covers you in case of a loss due to a cybersecurity breach.

    How to report data protection breaches?

    Identify an infringement

    When you detect a breach, conduct a complete investigation to collect all information about the breach and report it to the authorities. You must contain the following details:

    • Who has gained an illegal access
    • Time of the breach
    • Who will be affected
    • How can the data be used

    Inform regulatory bodies

    You must immediately inform the regulatory bodies and stakeholders within 72 hours of a breach.

    Additionally, you must report the incident if you have a data protection officer. He will help you evaluate the extent of the violation and make you understand whether you should take it to the privacy commission.

    If you don’t have a DPO or Data Protection Officer, it is better to appoint one immediately.

    Take preventive measures

    After a breach occurs in the organisation, you must take preventive measures to avoid future breaching. You can install more secure software to detect behaviours to alert you in case of suspicious attitudes.


    Hackers often utilise phishing techniques for cyber security breaches, known as system vulnerability and social engineering approaches to access personal data.

    However, several other breaching techniques are evolving in the market that severely impacts confidential data.

    Therefore, you must check the above list and get ready to confront the attacks and protect your firm from data breaching.

      Learn more about Accounting , Bookkeeping and Tax

      Subscribe to get our monthly dose of accounting, bookkeeping, tax and startup knowledge, inspiration and news.