Believe the GDPR myths, and you could see the information regulator come down on you and your firm.
There are a few myths circulating in the accounts outsourcing industry about what is required to make outsourcing legal from a GDPR perspective. Chief among these is the idea that if someone is accessing your servers from India then this, on its own, is GDPR compliant. Without other measures in place this is actually illegal, and you can get into a lot of trouble with the ICO as a result. The ICO makes it quite clear that this is the case – they say that a restricted transfer takes place if “you are initiating and agreeing to send personal data, or make it accessible, to a receiver who is located in a country outside the UK” – note the part marked in bold.
To make this worse, you may not be aware that most accounting firms handle ‘special category’ personal data – such as healthcare invoices, records of union fees paid, or political/religious donations. So, if your outsourcer experiences a data breach and your controls are inadequate, you have a big problem.
So, what do you need to make sure is in place?
At Advancetrack we work with a top legal firm to ensure that we have the correct contractual measures in place. You contract with our UK legal entity, and we handle the transfer to India. We have also made considerable investment in security measures and controls around use of personal information and have been assessed on this by numerous top accounting firms. Additionally, we are certified by BSI against ISO27001:2022 on information security and ISO27701/BS10012 on personal information management.
Advancetrack give data protection the investment in time and resources that it needs. As a result, we are not the cheapest in the market, but you need to ask yourself how much it is worth for you to sleep soundly at night!
If you’d like to talk to us about planning for outsourcing, or getting a better understanding of the regulation that both you and Advancetrack must comply with, get in contact by clicking here.