Blog

Topics: accountants, Outsourcing

Is your accounting outsourcing provider GDPR compliant?

5 MIN READ | Posted on May 01, 2018
Written By VISHAL KURANI

Is your accounting outsourcing provider GDPR compliant?

The General Data Protection Regulation (GDPR) will become reality on May 25, 2018, and organisations across the globe are preparing to meet the extensive requirements of the new regime.

As an evolution of the 1995 Data Protection Directive, GDPR introduces a new concept of accountability, which requires businesses that deal with EU data to “demonstrate compliance” with the core principles of data protection.

While the change stems from Europe, organisations around the world must comply if they offer goods and services to the EU.

This includes implementing a more prescriptive data processing arrangement. However, it doesn’t stop at how the data is processed within your practice. It also includes how data moves to and between the companies you work with, right from payroll bureaus, cloud providers, to outsourcing companies.

The roles of ‘data processors’ and ‘data controllers’

If you are an accountancy practice you are the data controller. That is because as a data controller you determine the purposes and means of processing personal data. In plain English, you decide what the data is for and what’s going to happen to it. But a data processor has a distinct meaning under GDPR. It refers to the person or body who is separate from you (i.e. not an employee) and who processes personal data on your behalf. In plain English, the controller gives the processer a specific job to to and the processor does it. This in our case would be an outsourcing company like QXAS.

Choosing an outsourcing provider (GDPR Supplier checklist)

GDPR marks a huge change in the balance of responsibility between data controller and data processor. Under the new regulations, outsourcing companies will have more responsibility to protect their clients’ data. Which means as data controllers accountancy firms will have to start questioning their current or potential outsourcing partners if they meet GDPR requirements and how they can demonstrate it.

To help you ensure your outsourcing provider is complying with GDPR, use our three-pronged supplier checklist, which takes into account the legal, operational and technological perspective:

  • GDPR compliant: Understand if the outsourcer is GDPR compliant? Or if they plan to be compliant before May 25, 2018. You should be confident that the outsourcing company has conducted internal data protection impact assessments (Article 35), signed a written data processing agreement with you (Article 28),  implemented appropriate security standards (Article 32), and are compliant with the provisions on international data transfers (Chapter V).
  • Business Contracts: Article 28 of the GDPR provides a long list of obligations that controllers will need to impose on the processors. With the risk of non-compliance far greater than ever before, such clauses will need to be covered off in your business contracts with the outsourcer. Find out if your suppliers have renewed contracts/written agreements with their current clients so both meet the requirements of GDPR.
  • Focus on security: There are questions about the storage of data, but the crucial point is whether your suppliers have appropriate safeguards and security procedures that meet the GDPR standards. For example, if outsourcers are storing data outside the EU, your client’s personal data attributes would need to be anonymised, encrypted, archived and deleted (data life cycle management).

How is QXAS protecting your personal data?

Trust is the foundation of our relationship with our accounting clients. We value the confidence they put in us and take full responsibility of protecting their information seriously.

  • ISO 27001 & BS 1002:2017. We have a track record of staying ahead of the compliance game – for example, our security practices have for years complied with ISO 27001 – the most widely accepted standard for data privacy and protection.  On 26 April, 2018 we also became the first outsourcing company in India to be GDPR compliant via the British Standards ISO BS1002:2017 framework (more on what this means below). To better understand our security procedures, you can refer to our Security page.
  • Dedicated DPO.  We have dedicated data protection officer (DPO) and a supporting team who are involved in designing and maintaining our privacy framework and policies to safeguard clients’ data in line with the requirements of GDPR.
  • Data flows. QX’s DPO conducted a comprehensive data-mapping exercise, which tracks how our clients’ personal data flows throughout our systems and services. Our data maps have been finalised.
  • Business Contracts. Our business agreements and contracts now incorporate data processing clauses to help our accounting clients comply with GDPR. We are also committed to help our clients prepare for the obligations under GDPR. For more information on how we can support your compliance journeys please email [email protected]
  • Data subject rights. We have developed procedures to deal with key ‘data subject’ rights, like subject access requests (SAR), and the right to request data erasure. More details can be found in our privacy policy.
  • Consent Management system. Our cross-functional GDPR team have put together a comprehensive consent management system to ensure our marketing communications only go out to businesses who have opted-in.
  • Privacy policy. We also updated our Privacy Policy on April 6, 2018 to give our website users more clarity about the information we collect, how we use it and the rights they have in relation to this information.

First GDPR compliant knowledge process outsourcing (KPO) company in India

QXAS met with the requirements of GDPR on 26 April 2018 via the ISO BS 10012:2017 framework – it’s the only available industry code of conduct that aligns with GDPR requirements. We are the first outsourcing company in India to have been awarded the standard – exactly a month before the deadline comes into effect!

What does it mean to be a BS10012 certified service provider?

It means we has developed and deployed standard processes to ensure:

  • QX has a legal basis to process personal data
  • QX limits data processing only to the agreed purpose
  • QX transfers/shares only what is agreed and only though approved channels
  • QX collects and processes minimum necessary data
  • QX securely disposes data after the defined retention period
  • QX has applied adequate information security and cyber security controls
  • QX has appointed a certified Data Protection Officer (DPO)

Why is this important to accounting practices outsourcing to India?

By working with non-compliant outsourcing companies post May 25, 2018, you expose yourself to a risk which has the potential for reputational damage, not to mention significant new fines which are up to €20 million or 4% of a company’s global annual turnover, whichever is higher.

If you have any additional questions regarding GDPR, we’ll be happy to have a member of our team assist you. Please contact us at [email protected] 

Give QXAS accounts outsourcing a try. Get started with a free-trial.

Disclaimer – This blog is intended to provide helpful guidance on GDPR and does not constitute legal advice.  You should undertake your own steps to ensure compliance.

VISHAL KURANI

Bringing forth rich marketing experience in the accounting industry, Vishal blends his wealth of knowledge and creativity to educate accountants about the pressing industry issues. He is passionate about marketing and helps accountants scale their practice through his detailed write-ups.

Unauthorized copying or plagiarism of our content is a violation of intellectual property rights. We take such matters seriously and will pursue legal action to protect our original work. Anyone found engaging in such activities will be held accountable under applicable laws.

Originally published May 01, 2018 02:05:57, updated Aug 01 2024

Topics: accountants, Outsourcing


Don't forget to share this post!

Related Topics

5 Tips to Manage Your Accountancy Firm During the Holidays

5 Tips to Manage Your Accountancy Firm D...

19 Dec 2024

The holiday season is almost here, and let’s be honest—who doesn’t want a break? After months ...

Read More
QX Global Group Wins the ACCA Talent and Engagement Leader Award

QX Global Group Wins the ACCA Talent and...

17 Dec 2024

QX Global Group Inc., takes pride in announcing that we have won the ACCA Talent and Engagement Lead...

Read More
Private Equity, Outsourcing, and the Future of Audit Firms

Private Equity, Outsourcing, and the Fut...

13 Dec 2024

The audit industry is changing fast. For audit firms grappling with tighter margins, increasing regu...

Read More
Avoiding Costly Payroll Mistakes: A Guide for Accountancy Firms

Avoiding Costly Payroll Mistakes: A Guid...

10 Dec 2024

Let’s face it—payroll is both crucial and cumbersome. As an accountant, you know how much ti...

Read More

Subscribe to our blog

Get the latest posts in email

We’re committed to your privacy. QX uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our privacy policy.