Is your accounting outsourcing provider GDPR compliant?

The General Data Protection Regulation (GDPR) will become reality on May 25, 2018, and organisations across the globe are preparing to meet the extensive requirements of the new regime.

As an evolution of the 1995 Data Protection Directive, GDPR introduces a new concept of accountability, which requires businesses that deal with EU data to “demonstrate compliance” with the core principles of data protection.

While the change stems from Europe, organisations around the world must comply if they offer goods and services to the EU.

This includes implementing a more prescriptive data processing arrangement. However, it doesn’t stop at how the data is processed within your practice. It also includes how data moves to and between the companies you work with, right from payroll bureaus, cloud providers, to outsourcing companies.

The roles of ‘data processors’ and ‘data controllers’

If you are an accountancy practice you are the data controller. That is because as a data controller you determine the purposes and means of processing personal data. In plain English, you decide what the data is for and what’s going to happen to it. But a data processor has a distinct meaning under GDPR. It refers to the person or body who is separate from you (i.e. not an employee) and who processes personal data on your behalf. In plain English, the controller gives the processer a specific job to to and the processor does it. This in our case would be an outsourcing company like QXAS.

Choosing an outsourcing provider (GDPR Supplier checklist)

GDPR marks a huge change in the balance of responsibility between data controller and data processor. Under the new regulations, outsourcing companies will have more responsibility to protect their clients’ data. Which means as data controllers accountancy firms will have to start questioning their current or potential outsourcing partners if they meet GDPR requirements and how they can demonstrate it.

To help you ensure your outsourcing provider is complying with GDPR, use our three-pronged supplier checklist, which takes into account the legal, operational and technological perspective:

• GDPR compliant: Understand if the outsourcer is GDPR compliant? Or if they plan to be compliant before May 25, 2018. You should be confident that the outsourcing company has conducted internal data protection impact assessments (Article 35), signed a written data processing agreement with you (Article 28),  implemented appropriate security standards (Article 32), and are compliant with the provisions on international data transfers (Chapter V).
• Business Contracts: Article 28 of the GDPR provides a long list of obligations that controllers will need to impose on the processors. With the risk of non-compliance far greater than ever before, such clauses will need to be covered off in your business contracts with the outsourcer. Find out if your suppliers have renewed contracts/written agreements with their current clients so both meet the requirements of GDPR.
• Focus on security: There are questions about the storage of data, but the crucial point is whether your suppliers have appropriate safeguards and security procedures that meet the GDPR standards. For example, if outsourcers are storing data outside the EU, your client’s personal data attributes would need to be anonymised, encrypted, archived and deleted (data life cycle management).

How is QXAS protecting your personal data?

Trust is the foundation of our relationship with our accounting clients. We value the confidence they put in us and take full responsibility of protecting their information seriously.

• ISO 27001 & BS 1002:2017. We have a track record of staying ahead of the compliance game – for example, our security practices have for years complied with ISO 27001 – the most widely accepted standard for data privacy and protection.  On 26 April, 2018 we also became the first outsourcing company in India to be GDPR compliant via the British Standards ISO BS1002:2017 framework (more on what this means below). To better understand our security procedures, you can refer to our Security page.
• Dedicated DPO.  We have dedicated data protection officer (DPO) and a supporting team who are involved in designing and maintaining our privacy framework and policies to safeguard clients’ data in line with the requirements of GDPR.
• Data flows. QX’s DPO conducted a comprehensive data-mapping exercise, which tracks how our clients’ personal data flows throughout our systems and services. Our data maps have been finalised.
• Business Contracts. Our business agreements and contracts now incorporate data processing clauses to help our accounting clients comply with GDPR. We are also committed to help our clients prepare for the obligations under GDPR. For more information on how we can support your compliance journeys please email [email protected]
• Data subject rights. We have developed procedures to deal with key ‘data subject’ rights, like subject access requests (SAR), and the right to request data erasure. More details can be found in our privacy policy.

• Consent Management system. Our cross-functional GDPR team have put together a comprehensive consent management system to ensure our marketing communications only go out to businesses who have opted-in.

• Privacy policy. We also updated our Privacy Policy on April 6, 2018 to give our website users more clarity about the information we collect, how we use it and the rights they have in relation to this information.

First GDPR compliant knowledge process outsourcing (KPO) company in India

QXAS met with the requirements of GDPR on 26 April 2018 via the ISO BS 10012:2017 framework – it’s the only available industry code of conduct that aligns with GDPR requirements. We are the first outsourcing company in India to have been awarded the standard – exactly a month before the deadline comes into effect!

What does it mean to be a BS10012 certified service provider?

It means we has developed and deployed standard processes to ensure:

• QX has a legal basis to process personal data
• QX limits data processing only to the agreed purpose
• QX transfers/shares only what is agreed and only though approved channels
• QX collects and processes minimum necessary data
• QX securely disposes data after the defined retention period
• QX has applied adequate information security and cyber security controls
• QX has appointed a certified Data Protection Officer (DPO)

Why is this important to accounting practices outsourcing to India?

By working with non-compliant outsourcing companies post May 25, 2018, you expose yourself to a risk which has the potential for reputational damage, not to mention significant new fines which are up to €20 million or 4% of a company’s global annual turnover, whichever is higher.

If you have any additional questions regarding GDPR, we’ll be happy to have a member of our team assist you. Please contact us at [email protected] 

Give QXAS accounts outsourcing a try. Get started with a free-trial.

Disclaimer – This blog is intended to provide helpful guidance on GDPR and does not constitute legal advice.  You should undertake your own steps to ensure compliance.