There are a few myths circulating in the accounts outsourcing industry about what is required to make outsourcing legal from a GDPR perspective. Chief among these is the idea that if someone is accessing your servers from India then this, on its own, is GDPR compliant.
Without other measures in place this is actually illegal, and you can get into a lot of trouble with the ICO as a result. The ICO makes it quite clear that this is the case – they say that a restricted transfer takes place if “you are initiating and agreeing to send personal data, or make it accessible, to a receiver who is located in a country outside the UK” – note the part marked in bold.
To make this worse, you may not be aware that most accounting firms handle ‘special category’ personal data – such as healthcare invoices, records of union fees paid, or political/religious donations. So, if your outsourcer experiences a data breach and your controls are inadequate, you have a big problem.
So, what do you need to make sure is in place?
- Firstly, there needs to be appropriate risk assessment of and contracts in place with the overseas legal entity.
- Secondly, your client engagement letter needs to reflect the possibility of transfer.
- Finally, the data being transferred needs to be treated securely, both on your network and on the network of anyone accessing it.
At AdvanceTrack we work with a top legal firm to ensure that we have the correct contractual measures in place. You contract with our UK legal entity, and we handle the transfer to India. We have also made considerable investment in security measures and controls around use of personal information and have been assessed on this by numerous top accounting firms. Additionally, we are certified by BSI against ISO27001:2022 on information security and ISO27701/BS10012 on personal information management.
- ISO 9001 Quality Management
- ISO 27001:2022 Information Security Management
- BSI 10012 Personal Information Management System
- ISO 22301 Business Continuity
- ISO 27701 Personal Information Security
An external auditor from the British Standards Institute (BSI) spends several days with us each year.
The auditor goes through all our procedures, risks and controls to make sure we do what we say we do. We currently have five standards (see below) and, whether security, privacy, quality or continuity, they are all risk-assessed.
We identify risks, and then evaluate them in terms of impact on confidentiality, integrity of information and availability of information. We then look to minimise the chance of those risks occurring.
Then we implement controls, and look at the residual risk: is there anything else we can do? Those controls could be as simple as making sure laptops have anti-virus on them – or as complex as managing redundant data centres or updating our business continuity plan.
The external auditor reviews all our controls – reviewing whether we follow them. They’ll take samples and we then demonstrate how we follow things through, including taking action to fix any issues that have arisen.
AdvanceTrack gives data protection the investment in time and resources that it needs. As a result, we are not the cheapest in the market, but you need to ask yourself how much it is worth for you to sleep soundly at night!
FAQ: What are the traits of a ‘typical practice’ working with AdvanceTrack?
Our latest FAQ looks at the typical qualities and attitudes that pervade the firms we typically work with at AdvanceTrack.
Technology and culture
We see that firms are proficient with technology. More importantly, there is usually a culture that is open to change – to adopt new processes and workflow – and, by definition, this means the embedding of new technology. When a practice begins working with us then there are inevitably some changes in how the work is undertaken and tracked – but the vast majority of practices are open and proactive and looking to make the venture succeed.
Making any change, particularly in an accounting firm, is viewed as a risk: ‘We could perhaps be more efficient and improve profits and service, but why ruffle feathers when we do OK?’ But there are firms that do try different things, and crucially, understand that these won’t always work. These firms will try something and, if it fails, then they learn to fail ‘quickly’.
This requires an investment of time and money. But, with a risk-based approach, driving change can bring about huge benefits – certainly in a climate where many practices have an opportunity to improve. Which leads to…
Practices that can deliver change, make improvements, are usually good at project management. And a key aspect of the out-turn of a project is using metrics that allow you to track the impact of the changes made. For firms that work with us, they will eventually look at the impact on their bottom line. But, beforehand, we see them use client service measures, including job turnaround. And, if we can help client work be undertaken quicker and more efficiently, then cashflow and lock-up improves. Firms that work with us certainly measure – and see – improvement in the revenue per head.
Finally, the firms we work with usually have leaders with a clear ambition – and these revolve around practical targets such as gross margins. But that is normally tied into running the firm better, offering clients more, upskilling team members – which all creates a more saleable asset. They see that improving the firm’s value is the ultimate goal.