Accountants thinking of outsourcing from the UK to India need to consider data privacy and security before going ahead.
India is not currently viewed as having an ‘adequate’ data privacy regime by the UK or EU regulators.
This does not mean you can’t share data with India, but it does mean there are things you have to do before you do so (and while you are doing it).
- Outsourcing itself is viewed as increasing the risk of data privacy and security problems.
- Outsourcing to another country (known as a cross-border data transfer) is viewed as further increasing that risk.
- Outsourcing to a ‘non-adequate’ country is viewed as further increasing that risk
- Sharing ‘special category’ financial or ID-related data adds to the risk
1. Update the current UK data audit, risk assessment, and map for your practice
All accountants need up-to-date data audits and risk assessments. Yours will need updating to take account of any changes in software, team structure, or type of clients and data you are currently accessing. The fact you may have done an audit a few years ago does not mean it will stand against what you are doing today – just as if you did a bank reconciliation two years ago it would not give you a reliable clue about your cash position today.
Updating your current audit and data map (where data comes from, where it is processed, to whom it is shared etc) is a great place to begin to look at outsourcing across borders.
Bear in mind that even giving someone access to view data (without processing it at all) is generally viewed as ‘data processing’ due to the way computers tend to work.
Be very clear about what is ‘special category’ information (and thus always viewed as high risk to the data subject if it goes astray) and what is financial data or ID-related data – both of which are usually viewed as high risk.
2. Review for potential overseas transfers to accountants or bookkeepers
Once your data audit and map are up to date you can then identify which elements of this would change if you were to outsource to India.
It is important to minimise not only the data you collect in the first place but also the data you share. The less you collect in the first place, the less you can lose. But once you have reached the irreducible minimum you have to look at sharing the least possible data consistent with the task.
While it is often tempting to give your outsourced team ‘admin’ rights so they can just get on with the job, a more secure option is to use the roles and rights options to give individuals only those access rights they need to do the job. And wherever possible to restrict the possibility of downloading or forwarding information.
In an ideal world high-risk (including data about children and young people) and special category data would not be accessible outside the UK, even to view, but if it must be, then it can only be accessed for very specific purposes and you need to set that up:
- technologically (roles and rights, additional security such as encryption, prevention of downloading, screenshots, copying, forwarding, etc)
- by contract/data processing agreement
- ensuring the team is properly trained
- ongoing checks
3. Verify your legal basis for sharing data with accountants overseas
Once your data audit is up to date including the legal basis for collecting information, you will need to review this as not all the lawful bases for collecting personal data in the UK are sufficient when it comes to sharing that data overseas. In some instances, you will need to consider getting consent, even if that is not your basis for collecting the same information in the UK
- It is clear that data is going to India (and which data and on what basis)
- What steps you have taken to mitigate any increased risk when sharing data with India
5. Use an appropriate cross-border data processing agreement
You will need to issue a data processing agreement (just as you do with your UK outsourced team) but this will need to take account of all the things you need to require your Indian team to do to secure and use the data you make available to them.
It is your responsibility as the ‘data controller’ to set up the appropriate paperwork, security, and working methods and you should not rely on unwritten assurances, however comforting they are. Whilst the paperwork must reflect the appropriate processes are in place, it is necessary to have the documentation too. All of this forms part of your due diligence.
6. Use a ‘8.global’ agreement with your Indian accountants or bookkeepers
You are answerable to the Information Commissioner in the UK (ICO) for data processing undertaken by contractors you hire – even if they are not in the UK. You will need to establish which jurisdiction (country) you want to govern the rest of the contract.
There are advantages to having your contract enforceable in the UK, and others to having it enforceable in India. As things currently stand you can’t automatically enforce a judgment of an English court in India or vice versa. So you will want to think about what might happen if things went wrong
You will also want to consider whether you want to require your Indian supplier to carry professional indemnity insurance (if so to what limit), cyber security insurance, or any other kind of insurance.
You will also need to notify your insurers to make sure that your cover includes the new territory. There is a general tendency for UK insurers to assume everything you do is inside the UK unless you tell them otherwise. It may invalidate your insurance if you do not do so
8. Security risks
Technology such as laptops can be extremely expensive in India compared to the average wage. This means that many small contractors ‘device share’ with colleagues or family.
However, that means if another person is using the machine, they may accept ‘phishing’ requests and allow malware into the local machine that can subsequently infect your own machines and create either a security breach or data corruption.
For high-risk or special category data, some clients go so far as to provide unique machines at their own expense and have them set up virtually (and securely) with tracking to ensure only the designated person uses the machine on the designated software. Some even set those machines up as ‘slave terminals’ which can only log onto the UK terminal and nothing else.
This is not a cheap option and can sometimes eliminate the savings of outsourcing if you are only doing this on an ad-hoc basis.
9. Let your clients know
If you need consent to do so you are going to have to obtain it before including the client in your Indian outsourcing programme.
It is a good idea, in any event, to bring your new outsourcing team online gradually (during a trial test period) so that you can check they are operating securely and monitor any problems either in quality of work or data security. You may want to start with a particular client or two.
But it can take time, particularly if your client base is not used to the ‘global service economy’ and has always been working with you and your team on a face-to-face or local basis.
10. Have a secure onboarding and off-boarding plan
You will need a step-by-step plan to onboard people in India, making sure they have the right equipment, access levels, authentication, knowledge, and training.
You will sometimes find that you meet great resistance to the idea that people won’t be sharing log ins, but you should persevere and make sure that everyone who views your data or client’s data is doing so through their own unique, multi-factor authenticated login, ideally on their own unique machine, with their own appropriate role.
You may need to get yourself familiar with (or get someone else to do this for you) the various roles and security levels that are open to you and how to tailor them to what you need to achieve. If you have that kind of mind it is not difficult, but not all of us do.
Plan for the ending
We are often so focused on getting an outsourced team on board, we forget that all good business relationships come to an end at some point (and the not-so-good ones very quickly).
You need to be sure that you can turn off the access of anyone who no longer needs it (or reduce their rights if you are downgrading their role) and that no personal or confidential data is kept on local hard drives that you do not have the master access to.
For example, document sharing should be through a secure portal, or if you use Sharepoint, Googledocs or Dropbox then make sure you set up the folders and invite others in (and control what they can do within the folder) so that you can ‘turn off’ their access.
If you do it the other way around you may find yourself excluded from data you need later on, or unable to track who has access.
It’s not as tricky as it sounds
If your UK data privacy is all up to date, then adding on outsourcing to India is not a monstrous problem.
It can be more tricky if you are starting from non-compliance in the UK.
Most of us drift in and out of compliance a little, which is why we review and update what we are doing.
Have a quick chat
If you’d like to have a quick chat with our Data Privacy Director and expert Jo Brianti, just book a call.
She won’t bamboozle you with science and you will find her down-to-earth grip on these issues is refreshing. She will soon have you working out what you need to do to get your outsourcing project started.