{"id":1560,"date":"2018-05-16T03:01:48","date_gmt":"2018-05-16T03:01:48","guid":{"rendered":"https:\/\/qxaccounting.com\/uk\/?p=1560"},"modified":"2025-09-24T09:58:46","modified_gmt":"2025-09-24T09:58:46","slug":"gdpr-and-accounts-outsourcing-implications-of-working-with-a-noncompliant-partner","status":"publish","type":"post","link":"https:\/\/qxaccounting.com\/uk\/blog\/gdpr-and-accounts-outsourcing\/","title":{"rendered":"GDPR and Accounts Outsourcing: Implications of Working with a Non-compliant Partner"},"content":{"rendered":"\n<p><a href=\"https:\/\/www.gov.uk\/data-protection#:~:text=The%20Data%20Protection%20Act%202018%20is%20the%20UK%27s%20implementation%20of,used%20fairly%2C%20lawfully%20and%20transparently\" target=\"_blank\" rel=\"nofollow noopener\">GDPR<\/a> for accountants has more teeth than previous data protection laws, and it has a long reach. The law is not limited by EU borders \u2013 any business that holds or processes personal data belonging to EU data subjects falls under the purview of GDPR. Irrespective of where your business is located, your company is expected to comply with GDPR.<\/p>\n\n\n<div class=\"wp-block-aioseo-table-of-contents\"><ul><li><a class=\"aioseo-toc-item\" href=\"#aioseo-implications-of-working-with-a-non-compliant-outsourcing-partner\">Implications of Working with a Non-compliant Outsourcing Partner<\/a><ul><li><a class=\"aioseo-toc-item\" href=\"#aioseo-1-gdpr-penalties\">1. GDPR Penalties<\/a><\/li><li><a class=\"aioseo-toc-item\" href=\"#aioseo-2-loss-of-reputation-and-other-business-risks\">2. Loss of Reputation and Other Business Risks<\/a><\/li><\/ul><\/li><li><a class=\"aioseo-toc-item\" href=\"#aioseo-de-risk-gdpr-insist-on-a-compliant-outsourcing-partner\">De-risk GDPR: Insist on a Compliant Outsourcing Partner<\/a><\/li><li><a class=\"aioseo-toc-item\" href=\"#aioseo-client-support\">Client Support<\/a><\/li><\/ul><\/div>\n\n\n<p>Naturally, most organisations based in the UK or EU, or companies from non-EU countries operating in the EU, handle data belonging to EU citizens. All such businesses must comply with GDPR or be prepared to pay potentially stiff penalties. But it doesn\u2019t end there; even after you make your own business GDPR compliant, the risk still remains if you share personal data with third-party processors.<\/p>\n\n\n<div class=\"blogin-graphics highlightbox7\" id=\"bgblock_code\" style=\"\">\n    <div class=\"blogin-graphics-in\"><\/p>\n<h2>What Does GDPR State?<\/h2>\n<p>GDPR\u2019s Article 28 clearly states that: \u201c[data controllers] shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject\u201d.<\/p>\n<p>What does this statement imply? This means that as an organisation that shares data with outsourcing companies, your company must conduct due diligence and guarantee that your outsourcing partners and other third-party suppliers comply with GDPR. In this scenario, if you do everything else right but make choose a non-compliant outsourcing partner, you leave your organisation vulnerable to heavy penalties, loss of reputation and loss of business!<\/p>\n<p><\/div><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"aioseo-implications-of-working-with-a-non-compliant-outsourcing-partner\">Implications of Working with a Non-compliant Outsourcing Partner<\/h2>\n\n\n\n<p>Most organisations that outsource are &#8216;data controllers&#8217;. In simple words, you hold the personal data belonging to your customers, you decide what it is for and what\u2019s going to happen to it. When you share this data with a third-party vendor or outsourcing partner, they process this data as part of the work. They are the \u2018data processors.\u2019<\/p>\n\n\n\n<p>Any data security breach at the data processor\u2019s will have an impact on your business. So, as part of your plan GDPR compliance for accountants, you must evaluate your partner\u2019s preparedness also. In case your partner is found to be non-compliant with GDPR, you stand to face potentially steep fines.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"aioseo-1-gdpr-penalties\"><strong>1. GDPR Penalties<\/strong><\/h3>\n\n\n\n<p>GDPR penalties will adhere to a two-tiered approach. Do note that the below penalties apply per breach, which can stack up quickly in case of businesses that show flagrant disregard of the law.<\/p>\n\n\n\n<p>For the provisions that are considered of utmost importance to privacy and data protection (collecting or processing data without consent or violating Privacy by Design concepts), businesses that are found to be non-compliant could face potentially steep fines: <strong>upper limit of \u20ac20 million or 4% or annual global turnover\u2013 whichever is higher<\/strong>. For breaches that are considered to be of lesser relative importance, the upper limited for the penalty is halved to <strong>2% of the annual turnover or \u20ac10 million<\/strong>.<\/p>\n\n\n\n<p>While GDPR has provisions for heavy fines, it is to be noted that these are the highest possible penalties. &nbsp;For comparison, <strong>a fine of \u00a3500,000 is possible under the UK DPA<\/strong>. The&nbsp;highest penalty till date&nbsp;\u2013 for a very serious breach of the act \u2013 was \u00a3400,000.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"aioseo-2-loss-of-reputation-and-other-business-risks\"><strong>2. Loss of Reputation and Other Business Risks<\/strong><\/h3>\n\n\n\n<p>Monetary loss in the form of fines is just one side of the coin. If a security breach or lapse is uncovered at your outsourcing partner\u2019s end and they are found to be in non-compliance with GDPR, your business is exposed to all the risks that are associated with cyber security breaches:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Loss of reputation<\/strong>: If your outsourcing partner fails to protect personal data, you will rapidly lose the trust of your customers and other stakeholders. Not only can this lead to business loss, but it can also erode the brand that you have built over the years.<\/li>\n\n\n\n<li><strong>Operations disruption<\/strong>: Any business that is caught in a GDPR non-compliance suit will be forced to rapidly overhaul its operations to ensure compliance in the future. A number of key players in your management team will be busy firefighting. If this doesn\u2019t bring operations to a grinding halt, it can definitely slow it down.<\/li>\n\n\n\n<li><strong>Long-term impacts<\/strong>: Rise in the cost of insurance premiums for cyber threats over a long period can be expected if your business gets caught up in a GPDR non-compliance scenario. Re-assessment of contracts and cyber-security readiness of all third-party vendors, efforts to winning back customer trust, and recovery of operations are other activities that may require attention over a long period of time.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"aioseo-de-risk-gdpr-insist-on-a-compliant-outsourcing-partner\">De-risk GDPR: Insist on a Compliant Outsourcing Partner<\/h2>\n\n\n\n<p>Outsourcing partners and other third-party vendors that work with the personal data of your customers are an integral part of your data cycle. It is essential that they understand their role under the new law and are prepared to shoulder the burden of compliance. Assess your supplier\u2019s readiness from the legal, operations and technological perspective:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>GDPR compliant<\/strong>: Is your outsourcing provider <a href=\"https:\/\/qxaccounting.com\/about\/gdpr\/\" target=\"_blank\" rel=\"noopener\">GDPR compliant<\/a> or has a clear plan to be compliant? Check if your supplier has conducted internal data protection impact assessments (DPIAs), signed a written data processing agreement with you, become compliant with the provisions on international data transfers.<\/li>\n\n\n\n<li><strong>Business contracts:<\/strong>&nbsp;As noted above, Article 28 of GDPR expects data controllers to conduct due diligence on data processors. As a result, you must sign updated contracts with your outsourcing providers, clearly outlining the rules and responsibilities around data security and management. If you are looking for a new supplier, ensure that they have renewed contracts with their current clients to meet GDPR-related requirements.<\/li>\n\n\n\n<li><strong>Security measures<\/strong>: GDPR expects any business handling the personal data of EU citizens to have appropriate safeguards and security procedures. For instance, if the outsourcers are storing data outside the EU, the personal data attributes would need to be anonymised, encrypted, archived and deleted.<\/li>\n<\/ul>\n\n\n<div class=\"blogin-graphics highlightbox7\" id=\"bgblock_code\" style=\"\">\n    <div class=\"blogin-graphics-in\"><\/p>\n<h2>QXAS is GDPR complaint. Is Your Outsourcing Partner Compliant?<\/h2>\n<p>QXAS is the first accounts outsourcing company in India to become GDPR compliant; our delivery centres in India have been certified GDPR compliant via the BS 10012:2017 framework certified by the British Standards Institution (BSI). In fact, we became GDPR compliant a month ahead of GDPR rollout!<\/p>\n<p>As the first GDPR compliant accounts outsourcing company in India, we can assure our clients and prospects that we\u2019ve taken all the necessary steps to safeguard personal information and we collect &amp; store only the minimum necessary data.<\/p>\n<p>Is your outsourcing partner GDPR compliant? Insist on a GDPR compliant partner and assess their security readiness firsthand \u2013 GDPR implications can be brutal, and non-compliance is not a risk worth taking!<\/p>\n<p><\/div><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"aioseo-client-support\">Client Support<\/h2>\n\n\n\n<p>We are also committed to help our clients prepare for the obligations under GDPR. If you have any specific questions regarding the GDPR requirements and how this may impact your use of QXAS please email us on&nbsp;<a href=\"mailto:contact@qxas.co.uk\">contact@qxas.co.uk<\/a>&nbsp;and our GDPR team will respond.<\/p>\n\n\n\n<p>Give QXAS&#8217; <a href=\"https:\/\/qxaccounting.com\/uk\/accounting-outsourcing-services\/\" target=\"_blank\" rel=\"noopener\">accounting outsourcing<\/a> a try. Get started with a free trial.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>GDPR for accountants has more teeth than previous data protection laws, and it has a long reach. The law is not limited by EU borders \u2013 any business that holds or processes personal data belonging to EU data subjects falls under the purview of GDPR. Irrespective of where your business is located, your company is [&hellip;]<\/p>\n","protected":false},"author":16,"featured_media":8806,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[187],"tags":[40,189,39],"class_list":["post-1560","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-accounting","tag-cybersecurity","tag-gdpr","tag-security"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/qxaccounting.com\/uk\/wp-json\/wp\/v2\/posts\/1560","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/qxaccounting.com\/uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/qxaccounting.com\/uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/qxaccounting.com\/uk\/wp-json\/wp\/v2\/users\/16"}],"replies":[{"embeddable":true,"href":"https:\/\/qxaccounting.com\/uk\/wp-json\/wp\/v2\/comments?post=1560"}],"version-history":[{"count":0,"href":"https:\/\/qxaccounting.com\/uk\/wp-json\/wp\/v2\/posts\/1560\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/qxaccounting.com\/uk\/wp-json\/wp\/v2\/media\/8806"}],"wp:attachment":[{"href":"https:\/\/qxaccounting.com\/uk\/wp-json\/wp\/v2\/media?parent=1560"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/qxaccounting.com\/uk\/wp-json\/wp\/v2\/categories?post=1560"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/qxaccounting.com\/uk\/wp-json\/wp\/v2\/tags?post=1560"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}