No accountability

by | Mar 26, 2023 | Uncategorised

In February, the Information Commissioner issued a bewildering press release headlined “Information Commissioner’s Office calls for accountants to play their role in SMEs data protection compliance”. Like many in the DP sector, my instinctive reaction was “what role?”. What is it about being an accountant that gives you a role in advising your clients on data protection?

IMPORTANT QUALIFICATION: there are accountancy firms who have actively built a role as small business advisors. They’ve recruited specialists or developed expertise in house on data protection and other matters. I am not dunking on anyone who has done this. Some marketing companies have done the same thing from a different angle. It’s fine.

But the majority of accountants are, well, accountants. I wouldn’t ask my accountant for data protection advice any more than he would ask me to do his VAT. Expecting a profession to suddenly step outside their area of expertise without a good reason is an odd choice in any situation, but it’s particularly strange for the ICO to imply that data protection is something that anyone can randomly pick up.

The only concrete element in the ICO’s press release is research they did in 2021 with “over 200 SMEs” which found that “over a third (34%) of SMEs trust their accountants for advice and a fifth (20%) actively use theirs to keep them up to date on data protection and GDPR.

If you’re sitting there thinking that that a competent regulator couldn’t possibly call on an entire sector to start advising outside their area of expertise off the back of one piece of research from two years ago, strap in. I knew there was something fishy about this announcement because it felt so weightless. There was no mention of consulting the sector, no backing from any industry body, nothing concrete, just some anecdotes from the Head of Business Services.

So I sent an FOI request asking for three things –

  1. Any recorded information about the role of accountants in the data protection compliance activities of their clients including the basis of the ICO’s call for them to be involved.
  2. Any recorded information that shows what consultations or discussions the ICO has carried out with representative bodies of accountants, or specific accountants’ firms about the role that the ICO perceives them to have.
  3. Any recorded information about research the ICO has carried out into the suitability, qualifications and capacity of accountants to give advice on data protection.

The answer to the first question is the research mentioned above. ICO has no other information about accountants’ specific role. The answer to the second and third question is that there’s nothing. The absence of information doesn’t automatically mean than something didn’t happen, but I think it’s inconceivable that the regulator could have consulted accountancy bodies or accountants’ firms, or carried out an assessment of whether this call was appropriate and have nothing recorded to show for it. Aside from anything else, ICO is always keen to finesse embarrassing looking FOI responses whenever they can – if they’d bothered to talk to a single accountant before publishing this, you’d think they’d have mentioned it.

Let me spell this out: the ICO asserted that accountants have a central role in SMEs’ GDPR compliance and called on them to act on this, despite not having spoken to any accountants about it, or assessing whether they are indeed suitable do so. They just conjured it up out of thin air and ran with it.

Whether it’s small things like John Edwards claiming in a speech at an IAPP conference that a reprimand on the Met Police was the first time ICO had enforced on subject access (a claim which is completely false), or big issues like ICO’s commitment to save UK businesses £100 million, a figure which is based on nothing more than previous ICO guesswork, the regulator’s increasing lack of rigour should worry anyone working on data protection in the UK.

Aside from the fact that a serious organisation wouldn’t do something so shoddy and unprofessional, it’s also further evidence of Edwards’ devaluing of the professional data protection sector. He’s let slip a couple of times hints of his resentment that the ICO isn’t the only or best source of advice on information rights matters, and now his office is saying that GDPR isn’t a specialist activity, just ask your accountant. I’m surprised they didn’t go for hairdressers.

I’m sure that some people will think I’m being unfair; if ICO says accountants are the go-to source for data protection expertise, that is good enough. There will also be those who think I’m annoyed because this might eat into my business. As it happens, the great majority of my clients are big organisations with their own DPOs and legal departments; they’re people who find the ICO’s output too bland or generic. This doesn’t affect me.

The reason that the DP sector has so many excellent consultants and trainers is because they’re needed. Data Protection is a subtle, complex subject and the ICO cannot provide the advice and support that everyone requires. Businesses of all sizes need specialists, not tourists encouraged to take on a side hustle. I know some superb professionals who specialise in working with SMEs, and the fact that ICO seeks to denigrate their work rather than support them (or just stay out of their way) is appalling.

The ICO’s silly press release has no basis and no justification. It’s petulant and counterproductive. Rather than driving SMEs into getting advice from the wrong people, they should delete it and ask themselves how they’ve got into this mess.