How outsourcing accounting companies can be GDPR compliant?

Google, Facebook, Instagram, and Whatsapp were the initial casualties when the EU’s GDPR came into effect, considering the potential of hefty fines. The technology giants were left staring at what could be enormous fines, and this will be an eye opener to other players with poor regulatory compliance. One of the popular misconceptions is that the geographic location of the business can possibly affect the aspect of compliance within GDPR. It is actually more a matter of the processes established to decide upon compliance and less so the place.

Fines in a nutshell

On the non-technical side, GDPR fines are delivered in two tiers of administrative penalties. The first is up to 2% of worldwide annual turnover or 10 million euros, whichever is greater, and the second is up to 4% of worldwide annual turnover or 20 million euros, whichever is greater. The salt in the wound will be that the percentage basis will be the worldwide annual turnover, and not the operations in a particular country where the violation happened. The taking into account of the previous year’s turnover as the calculation basis will be little or no relief, in most instances.

The EU privacy act in a nutshell

Organisations that handle data of entities of the EU are defined as Data Controllers and Data Processors. Compliance means the following applicable elements for data controllers and data processors.

• The act prescribes regulations on the handling of personal information. That is, it pertains to information that can be utilized in identifying an entity by some means or another.
• The privacy law requires consent to be obtained for keeping personal information, with intimation about the nature of information retained.
• It allows people to ask for information relating to them to be deleted, i.e. the request of people to be ‘forgotten’ must be complied with, except for some forms of transaction/records.
• The act requires compliance with procedures laid down to inform the specified authorities when data is hacked or accessed illegally.
• Data accumulated is never to be utilized for any other reason except for the purpose for which it was being pursued initially. The data, once it has been utilized, must be erased securely.

These are the general, overarching rules that apply to Data Controllers and Data Processors.

Processes define compliance and not where data processors are

The mere fact that the Act deals with the data of EU entities could raise speculations that data processors outside of the EU will be required to undergo additional scrutiny. Processes and procedures are what control the compliance and not the geo-location. In today’s technology-savvy world, offshoring, remote working and outsourcing are the buzzwords for enhancing performance as well as cost-effectiveness of operations.

It is thus the responsibility of data controllers to avail themselves of the services of outsourcing companies that are GDPR compliant through proper procedures. The compliance requirement is the requirement of the times, and the geographical location is not the parameter. 

An EU-based data processor could prove to be non-compliant, and it would attract fines on both the data processor and data controller. While, a processor based outside of the EU might be entirely compliant. This goes to the fact that where is not the determinant, but being compliant.

How accounting firms can become compliant?

GDPR, as a regulation law, is capable of laying administrative fines upon data controllers as well as data processors. Outsourcing accounting companies should realize that it is more beneficial to be compliant with the GDPR. Not only will it prevent potential fines, it will actually enhance the security of operations and thus avoid data loss, which can harm accounting outsourcing companies by way of serious reputation loss. 

Compliance with GDPR not only keeps exposure to fines minimal, it actually enhances the levels and layers of security. What should have been a voluntary change by companies is now a mandatory choice. 

Below are some of the fundamental steps that must be undertaken by an accounting outsourcing company to become compliant with the GDPR.

• Businesses must implement measures to ensure data is safe by design, and by default. In effect, this means that the mechanisms in place are specifically designed to safeguard the data of EU organizations, and this safeguard must be a process by default.
• An officer who will oversee that the above procedures are implemented must be appointed in companies. This may include a tool based approach to trace the data being processed and track the same.
• Standard operating procedures have to be implemented and mandated to ensure that the protection of data is in terms of fulfilling all the compliance standards.
• Organizations must from time to time organize training and orientation sessions to make people aware of the regulations and ensure that measures for compliance are not lax at any given time.
• The audit procedures and authentication mechanisms must be robust, so that access to information is limited to only those resources and processes that are required.
• Accounting firms must demonstrate their willingness to be compliant. This will act as a mitigating factor in the event of any breach, by demonstrating that every effort was made to safeguard the data.
• The lifecycle of the data must be handled according to the needs of the act.

This implies that outdated processes must be abandoned and new processes adopted.

• Firms must establish an efficient hierarchy/system to handle incidents and forward information regarding such incidents to the relevant authorities and the parties whose information was leaked, within the timeframe of 72 hours.
• Firms must define a chain of command, a channel to forward such messages
  and conduct checks regularly to determine channel/system efficiency.

Accounting outsourcing firms provide businesses with manifold advantages through operations, and compliance with GDPR will enhance the security of the processes while avoiding administrative penalties. Businesses must become completely compliant in order to continue taking advantage of their expertise and cost effective solutions as part of deliverables.