Information For accountants

The fundamentals of what we do are based in data privacy legislation not accounting practice therefore accountants may not be aware, nor would they be expected to be, of their client’s exposure.

The process is NOT a tax avoidance scheme; it simply applies established legal requirements compliance with 99 Data Privacy regulations (GDPR) and follows standard accounting practices (specifically FRS102 / IAS37).

Our directors have been in conversation with HMRC for over two years. These conversations have allowed us to refine to process and ensure that the provisions we put in place for your clients will be accepted. 

HMRC have acknowledged that "there may be circumstances when a provision for GDPR fines and or compensation may be made in the accounts if it complies with GAAP, in this case the requirements of FRS102."

CTR have a strict eligibility criteria that our clients have to comply with before we can put the provision in place. 

Clients MUST comply with ALL of the below points:

1. That the business must have been trading for at least two years at the point we audit them.
2. That the business must have either a significant volume of personal data, or process financial data or hold or use sensitive personal data (now called Special Category data).
3. The business must have paid or be due to pay over £20,000 in corporation tax in the last two years.
4. The business must have positive reserves / shareholders funds. 

Clients must also have had AT LEAST ONE of the below points: 

• A business has received any notification of a claim from or relating to an individual.
• A business has received notification from the ICO that it has received a complaint.
• A business has notified their clients of a breach.
• A business has notified the ICO of a breach.

And, clients must also meet one or more of the criteria below:

• The business definitely knows that it has lost personal data.
• The business knows that its privacy notice is missing or defective. 
• The business knows that it has not executed its obligations to put in place reasonable levels of technical or organisational security to protect data.
• The business knows it has not verified the security position of third parties whose services or systems they use to hold or otherwise process personal data.

As with any provision, it either needs to be realised or reversed. 

CTR will conduct annual reviews to assist in planning the reversal of the provision over a period of time, in accordance with the remediation works the client has undertaken.

As the provision is slowly reversed, the business is becoming more compliant with the data privacy legislation and therefore increasing the value of the company as a whole.

However, as data collection, storage and use will continue in line with the business, it is likely that a smaller but ongoing provision will be required as GDPR is an ongoing issue and no business can become 100% compliant.

For example:

• It is going to take time to fix the historic breaches, and they will never be fully dealt with, so some level of provision should always be retained.
• All businesses are always going to be subject to cyber-attacks (that give rise to associated claims); and
• Businesses will always get something wrong in relation to the 99 GDPR rules, because of their complexity.

The standards we work with are FRS102 and IAS37.

FRS102

An entity shall recognise a provision only when:

• The entity has an obligation at the reporting date as a result of a past event;

• It is probable (i.e. more likely than not) that the entity will be required to transfer economic benefits in settlement

• The amount of the obligation can be estimated reliably

IAS37

This stipulates the criteria for provisions, contingent liabilities and contingent assets which must be met in order for a provision to be recognised, so that companies should be prevented from manipulating profits: 

• There needs to be a present obligation from a past event 

• There needs to be a probable outflow

• There needs to be a reliable estimate

Although the provision may cause a negative balance sheet, the business is not Insolvent as long as they can pay their bills when they become due. The recovery of the corporation tax and the future reduction in taxable profits means that the cash flow is positively strengthened.

These can be paid provided there are reserves. The adding back of the corporation tax recovery strengthens the reserves so paying dividends should not be an issue; however, we will work with each client to address any concerns.

If the business has contracts that include liquidity ratios or similar, then these will not be affected. If the ratios involve profitability, then this may need negotiation but the effect of cashflow improvement by way of a corporation tax repayment should satisfy the lender. This would need to be reviewed on a case-by-case issue, as a borrower may have other matters to consider such as repayment history causing the bank to refuse future lending.