General Data Protection Regulation (GDPR)




What is GDPR


General Data Protection Regulations (GDPR) is the latest data protection legislation from the EU which is coming into effect from 25th May 2018.

Who is impacted by GDPR?


Any organisation directing services to EU citizens will have to comply with GDPR.

What is the impact of GDPR post Brexit?


The UK was very involved in the creation of the GDPR. The government has stated they are committed to this Regulation and we can expect that any UK version won’t differ very much from the approved text.

Also, if you do business within the EU, you will have to comply whether or not the UK has different data protection laws.

How will GDPR impact accountants?


Accountants like all other buinesses need to comply with the GDPR regulations. Practices should take steps to educate themselves and ensure they comply with the new regulations. 

What will happen if businesses don’t comply?


Breaches of the GDPR regulation will result in very high fines up to €20m of 4% annual t/o whichever is higher but also the associated reputational damage

What is the difference between a data controller and data processor


A “data controller” is a person/ company who determines the purposes and the manner in which any personal data are, or are to be processed.

A “data processor”, in relation to personal data, is a person/ company (other than an employee of the data controller) who processes the data on behalf of the data controller.

The Information Comissioner's Office provides more details here: 

Should accountants notify their clients about GDPR?


Yes, accountants should explain their area of responsibility and notify clients about these areas e.g. the practices GDPR policies around data retention, security etc

Can we still use email when communicating to clients and prospects?


Yes you can still use email, however, once the GDPR comes into effect, your clients (and prospects) have to opt-in to your communications.

However, you should be mindful of the information you are sharing with clients. Personal and financial information should be sent securely. IRIS recommends accountants use IRIS OpenSpace when sharing  sensitive financial information with clients. 


Is IRIS registered with the Information Commissioners Office (ICO)?


IRIS is registered with the ICO.

Products can’t be registered with the ICO, only legal entities that are data controllers. The ICO register is public and open to anyone to search. The IRIS Group registration can be seen here:

Will IRIS provide standard privacy notices for practices to use?


No IRIS will not provide standard privacy notices. Each practice needs to determine how they use client data, who has access to that data and how clients can request access etc. The practice then needs to inform their clients accordingly. Using a standard template is not an option under GDPR, each practice needs to create their own policy that reflects their processes.

The Information Commissioners Office have a  Privacy, Transparency and Control Code of Practice as a useful reference. This policy can be found here:

Do IRIS products carry out anything that falls under “automated decision making including profiling”?


No, there are no automated processes in IRIS products that make decisions about people. This aspect of GDPR is concerned with decisions made about individuals based on purely automated algorithms without any human involvement.  For example, when applying for a loan, the decision is based on credit scoring.  Another example would be some personality profiling tests that some people take when applying for a job. 

Accountancy bodies are issuing guidance on GDPR. Has IRIS considered this guidance


IRIS has reviewed the guidance from the major governing bodies and the essence of their advice is covered in our product Terms and Conditions of use whoch can be found here: 

IRIS OpenSpace

Where is my data held?


The OpenSpace platform is based on Microsoft Azure and their servers are based in Amsterdam with a backup (for redundancy) based in Dublin. More details can be found here:

How secure is my IRIS OpenSpace account?


Your password is encrypted using a salting and hashing algorithm. This means we don’t know your password, and anyone who looks in our database, can never find out what your password is.

Are the files encrypted by IRIS OpenSpace?


All files are encrypted in transit using SSL and AES technologies.

Are my files in IRIS OpenSpace Backed Up?


Yes, Locally Redundant Storage is part of the Microsoft Azure platform that IRIS OpenSpace runs on.

Simply put, this means that there are 3 copies of all data stored at the Microsoft data centre; so if, for example, the main storage was to fail Azure would instantly switch over to one of the backups without any effect on the application or its data.

IRIS Insight

Where is my data held?


IRIS Insight is also based on Microsoft Azure and their servers are based in Amsterdam with a backup (for redundancy) based in Dublin. More details can be found here:

Is my IRIS Insight data encrypted?


We use SSL (Secure Socket Layers) encryption to protect your data as it is sent over the internet between you and Insight. You will see a padlock icon in your browser when you register or log in to your IRIS Insight account which shows that this encryption is in place.


Where is my KashFlow data held?


KashFlow is hosted on Rackspace servers which are based in the UK, more details can be found here: 

How safe is my KashFlow data?


The servers that power KashFlow are highly secure and are protected by an advanced firewall. The firewall and the servers are monitored 24 hours a day for any suspicious activity. So you can rest assured that even whilst you sleep your data is being actively protected. It would be easier to break in to your office to steal your accounting information than it would be to break in to our servers.

More details can be found here: 

IRIS on Twitter IRIS blog IRIS on LinkedIn IRIS on YouTube