You may hear a number of claims around what is GDPR compliance (though not so much the other way around). The main claim, shared liberally, is that ‘if an outsourcer accesses your servers from India, then they’re not transferring data… so that process is GDPR compliant’.
Sadly, there are a number of measures that need to be in place to build GDPR compliance from this simple scenario – and without doing so you could fall foul of the Information Commissioners’ Office (ICO).
The first step is to clarify that the accessing of personal data in the UK from abroad puts you under the remit of GDPR. The ICO states that a restricted transfer takes place if: “…you are initiating and agreeing to send personal data, or make it accessible, to a receiver who is located in a country outside the UK.”
Accountancy firms have to be especially mindful about GDPR compliance, because they deal with ‘special category’ information which includes healthcare invoices, records of union fees paid or political/religious donations.
Also note that the ICO has recently called upon accountants to play their role in supporting compliance for their small business clients. “Accountants are a key part of this network and it’s clear from our engagement with SMEs that many of them are reliant on their accountant to ensure their business dealings are compliant with data protection laws,” said ICO head of business services Faye Spencer.
Accountants are placed at the frontline of data management, controls and security. Therefore, it’s vital that you check thoroughly that your outsourcer is completely up to date with GDPR compliance, including strong controls and data breach mitigation.
What needs to be done
- There must be an appropriate risk assessment of, and contracts in place with, the overseas legal entity.
- Your client engagement letter must reflect the possibility of transfer.
- Data being transferred must be treated securely, both on your network and on the network of anyone accessing it.
These are areas that we at Advancetrack are more than mindful of – they sit at the heart of what we do. For example, we work with a top legal firm to ensure that we have the correct contractual measures in place.
You contract with our UK legal entity, and we handle the transfer to India. We have also made considerable investment in security measures and controls around use of personal information and have been assessed on this by numerous top accounting firms.
Additionally, we are certified by BSI against ISO27001: 2022 on information security and ISO27701/BS10012 on personal information management. These are the product of building strong protocols in our business. Advancetrack also has additional standards for Quality and Business Continuity and is also an ICAEW regulated firm.
If you’d like to talk to us about planning for outsourcing, or getting a better understanding of the regulation that both you and Advancetrack must comply with, get in contact with us.