My Account
Basket (0)
Contact Us Email Newsletters

GDPR is Here to Stay – How are You Doing (part 2)?

By David Norris

In this second part in our series of GDPR articles, we consider what needs to communicated to clients and other key parties.

Communication with clients

Once the firm has trained staff and understood what data it has, the firm should then be ensuring that engagement letters have been updated or an addendum has been sent out so that clients are aware of the firm’s policies with regard to data protection and data retention. Much of this documentation is standard and will not need to be signed by the client – the firm is just stating how it collects and processes data.

For example, the firm will produce a paragraph (often called a Privacy Notice) that confirms how the firm will deal with data if engaged to prepare a tax return. This standard wording can be found in SWAT’s manuals as well as on the ICAEW GDPR hub. This will need to be repeated for other services.

Firms will also need to develop data retention policies to describe how long they should keep data. This can be specific to the firm and does not have to be a standard period, but the firm will presumably start by looking at how long HMRC can look back at the data and PII providers might also have opinions on how long to keep data. The firm’s policy will need to be communicated to staff and consideration given to how this is implemented in practice, along with how often data is purged from the system.

Communication with others

Firms should also be confirming with key suppliers and subcontractors how they should deal with data. For example, there is little point in the firm being GDPR compliant if it then sends data to an external processor or IFA for them to not be compliant in the way they handle data. Firms should also ensure that any cloud software providers have confirmed they are GDPR compliant. This is particularly important for non-EEA providers as they will have no automatic requirement to comply with this European regulation. 

Firms might also be getting questions from clients that are looking for confirmation they are compliant and often clients will not rely on the engagement letter and so firms will need to reply carefully.

To enable the firm to demonstrate to the wider world that it has good procedures, it could look to get its procedures certified. This will help the firm to review its procedures and enable it to stand out from its competitors. ISO 27001 is certainly an option, but Cyber Essentials might be a better starting point.

Cyber Essentials

In conjunction with the government, the ICAEW launched Cyber Essentials to help UK businesses protect themselves. 

Cyber Essentials aims at the most basic technical controls (5 in total) and doesn’t supersede other standards, such as ISO27001, but is a base level of cyber hygiene which all businesses should have in place. It won’t prevent all security breaches, but it will raise the bar significantly for many firms who are currently very vulnerable.

It incorporates a ‘badge’ system to demonstrate compliance with the controls. To get a Cyber Essentials badge, a business fills in a questionnaire on the controls, which is then validated by a qualified professional. 

Further information can be found here.


The firm has to consider how it communicates to all parties it interacts with and the above points need to be dealt with. A certification like Cyber Essentials can help promote a powerful message that the firm is good with data, which might be a vital message in this digital world.


Need some help complying with GDPR?

We offer a range of training and resources to help your firm comply with GDPR. Click here to find out more or call our friendly team on 0845 450 5555*.

Other articles in this series

GDPR is Here to Stay – How Are You Doing (part 1)?


September 2018 


This article is published with the understanding that SWAT UK Limited is not engaged in rendering legal or professional services. The material contained in this article neither purports, nor is intended to be, advice on any particular matter. This article is an aid and cannot be expected to replace professional judgment. SWAT UK accepts no responsibility or liability to any person in respect of anything done or omitted to be done by any such person in reliance, whether sole or partial, upon the whole or any part of the contents of this article.