General data protection regulation : the role of Maltese accountancy firms

Abstract

Purpose: The aim of this dissertation is to raise awareness regarding the impact of the GPDR. Thus, the study seeks to identify the role local accountancy firms have undertaken to become compliant with the Regulation through various measures and procedures. Additionally, the challenges and opportunities of such role are also identified along with the relevance of the Regulation in today’s digital world.

Design: A qualitative approach was adopted by means of 11 semi-structured interviews. These were conducted with employees within accountancy firms who acquire the most sound expertise on the subject matter and a Director from the International Tax Unit. Snowballing was undertaken whereby data was collected by a key person who in turn recommended other suitable experts in the field who could assist in the conduct of this study.

Findings: To date, various measures were undertaken with the aim of becoming compliant with the GDPR. The findings revealed that the “Big 4” firms were impacted on a smaller scale compared to the SMPs. It was evident that the ‘one size fits all’ approach of the Regulation resulted to be daunting for the smaller firms. Additionally, the challenges were disproportionate to the benefits indicating that accountancy firms have yet to establish the opportunities emanating from the Regulation. The fact that the IDPC provided very few guidelines on how to implement such a demanding Regulation played a major role in the way SMPs interpreted such Regulation. Lastly, the findings suggest that the Data Protection Directive of 1995 did not take into account how firms collected data of clients and individuals. For this reason, it was felt that the Regulation was necessary, however, to a lesser degree than its current form.

Conclusion: The Regulation provided a two-year implementation period prior to it coming into force on the 25th of May 2018. Notwithstanding this timeframe, the IDPC failed to invest the necessary resources to prepare firms for such a change. This led to the smaller firms finding it substantially costly to implement. Having said that, firms have taken their own initiative using a risk-based approach for the implementation to be feasible and sustainable, resulting in an effective compliance with the Regulation.

Value: This Dissertation sheds light on the measures undertaken to enhance data protection in Malta and decrease the number of data breaches that have already taken place. Furthermore, it provides valuable insights on the need for such a revolutionary Regulation and the improvements in the quality and services that accountancy firms have engaged in.