CPA Privacy Best Practices
Whether you work alone or for a big firm, as a certified public accountant, you know privacy is important. But with new privacy laws being passed every year, it’s about to be more important than ever.
While laws protecting consumers’ sensitive personal data online are less than a decade old, governments have been passing laws protecting financial information for decades—because everyone wants to protect their money. In fact, there’s even an IRS rule about protecting taxpayer data that applies to CPAs.
One of the big laws, the Gramm-Leach-Bliley Act, passed in 1999, removed restrictions created during the Great Depression that barred financial institutions from combining banking, investment, and insurance services together. But it also created regulations to make the collection and disclosure of private financial information between these groups safer and more transparent.
The full picture of data privacy
When it comes to privacy, CPA firms are often ahead of the curve. Because they’re handling their clients’ financial information all day every day, they understand that data is as valuable a currency as actual currency. What they often fail to understand, however, is that it’s not only sensitive personal data that is subject to privacy compliance regulations. Instead, all data (including HR data and marketing data), needs to be handled in accordance with current privacy regulations.
New consumer privacy laws like the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have changed the game dramatically. Because different jurisdictions have different regulations, this also means that firms have to comply with privacy laws depending on where their clients are. Firms that have clients in the EU have to deal with GDPR, while those in California have to deal with the CCPA.
Additionally, if all clients are in the U.S. but the employees of the clients live elsewhere, a firm could be subject to the regulations of the regions where their client’s employees live. In other words, vendor due diligence requires companies to vet firms and the CPA firm could lose the business if they can't comply—and that includes both marketing and HR data, too.
Applicable to both CPA firms and their clients, these new laws provide both significant challenges and opportunities that smart CPAs can leverage to increase their credibility with clients and grow revenue by providing new services.
Accountants take everything seriously (as they should)
Privacy concerns are so important to CPA firms that the American Institute of Public Accountants (AICPA) created their Generally Accepted Privacy Principles (GAPP), a play on the standardized Generally Accepted Accounting Principles (GAAP), in 2009.
To account for the changes in technology and legal considerations surrounding consumer privacy, the AICPA Privacy Task Force revised the GAPP in 2020 and developed a new Privacy Management Framework (PMF) that helps CPA firms “address the business activities that involve collecting, creating, using, storing and transmitting personal information of individuals.”
The PMF breaks privacy management into nine categories, each of which requires a strategy and execution plan:
- Agreement, notice, and communication
- Data collection and creation
- Data use, retention, and disposal
- Data access
- Disclosure of data to third parties
- Data security for privacy
- Data integrity and quality
- Monitoring and enforcement of privacy program
Opening the curtain on privacy regulations
When the GDPR was passed in 2016, it was the first major consumer data privacy law in the world.
It wasn’t alone for long.
Since then, California has passed not one but two data privacy laws, with Virginia and Colorado following close behind. Multiple states have bills proposed, and other countries do too.
Consumer privacy protections are here to stay. While these laws have some significant differences, there are basic principles they all share, including:
- Consumers have the right to know what information companies are collecting about them, why it’s being collected, what is being done with it, and who it’s being shared with.
- Consumers have the right to correct and delete their information from a business’s databases.
- Consumers have the right to stop the sale or sharing of their personal information with third parties.
- Businesses are required to provide users with transparent privacy policies that explicitly detail their data collection and usage practices.
- Businesses must protect the consumer data they collect using reasonable security measures.
- If businesses share their users’ data with a third-party vendor, they must ensure that vendor is also compliant with regulatory requirements governing data processors.
CPA can also mean “crushing privacy accountability”
Unlike the privacy laws CPA firms are used to working under, laws like the GDPR and the CCPA are targeted towards protecting consumer information that is collected online.
This means that some of the information you are now responsible for may not belong to your actual clients, and it won’t be just financial data. If you collect or store information about site visitors, if you are collecting email addresses for marketing purposes, or if you are privy to information about your clients’ clients, all of that data is subject to the same laws around privacy compliance as the data you use for your services is.
But here’s the silver lining: as CPAs, you probably have significantly more experience complying with privacy regulations than many of your clients do. If you put the time and effort into building a strong privacy program, not only will you be compliant, but you will also be able to help your clients do the same thing.
Whether you provide advice as a value-added service or by adding value to your fee services, having expertise in privacy compliance can make you invaluable to your clients.
Set a good example
Before you can embed yourself into your clients’ privacy operations though, you need to make sure yours are up to snuff.
Here are a few steps you can take today to put yourself on the right track.
- Hire a fractional privacy officer.
We know, we know. We told you we’d give you steps you can take. But hear us out.
To your clients, you’re the expert sounding board. We can be your expert sounding board. Red Clover Advisors can provide you with executive-level privacy strategy development, compliance roadmaps, and data management plans without you having to pay executive-level prices. Hiring RCA will allow you to ramp up your privacy program quickly and efficiently.
Mapping data, also called a data inventory, involves following your data records’ journey through your system, from collection to processing to storage to deletion.
Completing this exercise will tell you if you are:
- Collecting too much data and storing it for too long
- Getting bad data from users
- Using security programs or vendors that put your data at risk for exposure
It will also identify which data falls under the privacy laws that your firm is required to comply with, as well as what needs to be included in your privacy notice.
Your website probably has cookies, and it may not have the right banner in place to indicate this. But with all major internet browsers banning the use of third-party cookies, it’s time to start building up your system’s first-party cookies. You’ll get better data from them, anyway.
Also, most privacy laws have requirements about how and when you notify users about your cookies, and many have stipulations for opting-out or opting-in to cookie tracking.
We always recommend our clients get rid of privacy policies that read like something out of a law journal in favor of a brief, user-friendly description of the whys and hows and whos of their data collection and processing program. This open, transparent, and friendly approach to privacy will not only improve the user experience, but it will also mark you as a privacy-forward company.
Your employees aren’t going to be able to execute your own privacy program, let alone
help your clients build theirs, if they don’t understand what they’re doing and why. A
majority of data breaches are caused by human error and training is your best bet at
preventing simple mistakes from turning into costly headaches.
It’s going to matter to your clients
Because privacy laws hold companies responsible for data breaches through their vendors, it’s becoming common for businesses to select a CPA firm based on their privacy practices. Businesses will go through their due diligence processes and won’t hire a firm if they can’t comply with privacy laws or don’t have strong privacy and security practices.
Additionally, insurers are beginning to deny coverage to companies that don’t have adequate data privacy programs in place.
And most businesses aren’t ready.
In December 2019, a month before the CCPA became effective, as many as 91% of companies hadn’t finished the compliance work they needed to do, and 34% had just barely started. With new privacy laws passing every year and old ones being constantly updated, it’s safe to say you have clients who need help.
As someone they already trust, your CPA firm has a real opportunity to solidify and grow your place in their processes by providing education, assessing the range and quality of their data privacy controls, and conducting security reviews.
And we can help you. If you want more information about how Red Clover Advisors can help you build a privacy program that helps your clients build theirs, call us today.