There are many recruitment agencies and other companies in the UK that have realised the many benefits of outsourcing non-core functions to offshore providers, allowing them to focus their energies on what they do best.
A large number of the activities outsourced, such as payroll and accounting require organisations and individuals based in offshore locations to process data that belongs to people from the UK and EU.
Up until now any data involved was covered under the Data Protection Act and the burden of responsibility for the data mostly lay with agency and not the offshore accounting service provider, giving them a certain level of protection.
However, this is all about to change with the introduction of the GDPR which will come into force from 25th May 2018 and updates existing data protection laws and will align all data protection regulations across Europe.
It’s certainly a tricky area, as the introduction of GDPR raises the question of whose responsibility it will be to abide by the regulations and notify any serious breaches or problems related to the data held.
So what impact does GDPR have on your Offshore Accounting Service Provider?
Well the biggest impact is that the offshore provider is now in control of a process that was previously controlled by the client, the recruitment agency and other companies. They now need to comply and accept responsibility for the data, ensuring it’s treated correctly or potentially face massive fines.
However, there is no doubt that recruitment agencies and other companies are still fully responsible for their offshore partner and will be expected to ensure that their offshore partners, who process or control data belonging to EU citizens, are fully in compliance with GDPR.
As a result, recruitment agencies and other companies need to confirm now that their outsourcing partners are fully prepared for GDPR as working with non-compliant partners will leave the agency vulnerable to the threat of steep fines.
So, how do you make sure your outsourcing partner is compliant with GDPR?
When working with offshore accounting partner, recruitment agencies and other companies need to bear in mind the following:
- Does your offshore accounting partner comply with the existing data protection regulations? Do they comply with international information security standards like ISO 27001? If they comply with these standards you know that, at the very least, they have a basic data security framework in place and are committed to the process.
- Any organisation that is serious about making itself ready for GDPR will have appointed a dedicated Data Protection Officer who will review and manage the organisation’s regulatory compliance readiness and take steps to make it GDPR compliant. Ideally, the DPO should be a certified GDPR practitioner and have prior experience and knowledge of data protection law.
- Any new contracts should cover the appropriate security obligations to comply with the new regulations and existing contracts need redrafting to embed the GDPR compliance responsibilities of both the organisations and to outline the penalties imposed for any activity that fails to comply.
- It is critical that the offshore provider have taken all steps necessary to allow their staff to be ready for the changes and that they are well-versed with the key principles of information privacy in reference to GDPR.
GDPR will create a whole new way of thinking for everyone as to how they use data and there’s no doubt that in the short term that GDPR will require additional resources and costs.
All parties involved will need to work together more closely than ever to take shared responsibility for any data that is being used, ensuring that consent has been obtained. Detailed auditing and close partnerships are going to be crucial for compliance and any recruitment agency or other companies working with an offshore accounting service provider will have to conduct due diligence and ensure that their offshore partner has the capacity, ability and willingness to comply with GDPR.
Is your offshore accounting services partner GDPR compliant?