We are proud to announce that QXFA is GDPR compliant; in fact, we are the first F&A services company in India to accomplish this!
On 26 April 2018 – a full month before the deadline – our delivery centres were certified to be in compliance with GDPR requirements, via the British Standards Institution’s 10012:2017 framework.
What is BS 10012:2017 and how does it relate to GDPR compliance?
BS 10012 is a best practice framework for a personal information management system (PIMS). The framework sets down core requirements that organisations must consider when dealing with personal data related to individuals.
It is the only enforceable and certifiable PIMS framework that aligns with GDPR’s principles around managing personal data. In order to achieve the BS 10012 compliance certification, organisations need to demonstrate their ability to manage data privacy while collecting, storing, processing, retaining or disposing personal records related to individuals.
We are committed to data security and regulatory compliance
Organisations outsourcing processes that involve management of personal data expect that their partners can be trusted to maintain compliance with GDPR and other regulations.
The BS 10012:2017 certification is awarded after a thorough and independent third-party attestation of the maturity of the business’ information security systems. Certified compliance with BS 10012:2017 framework validates the effectiveness of the measures QX have taken to enable security, confidentiality, and availability of our customer data. At the same time, it enables us to demonstrate compliance with GDPR.
Following the audit and issue of the certificate, the BSI auditors had this to say:
"At this stage where most of the companies have just started their GDPR journey, such a mature and well drafted framework at QX is a proof of how ahead you are in the game. We had a difficult time finding a flaw in your system. The level of competency of people, the detailing of documentation and the involvement of people is commendable. It was a learning experience for us too and we wish you all the best for the future” – British Standards Institution
Why should businesses insist on a GDPR compliant partner?
GDPR is not limited to the EU – any company that processes personal data of EU citizens falls within the purview of this law. For example, as an F&A outsourcing partner working with companies in the EU, we fall within the ‘data processor’ category, while many of our clients are deemed ‘data controllers’.
If your company shares personal data of EU citizens with an outsourcing partner, both your partner and your business are obligated to protect the data as per GDPR standards. Not only is your business liable for non-compliance as a data controller, but according to GDPR Article 28, you are also expected to conduct due diligence and only use processors that guarantee to comply with the regulations. Businesses that fail to comply could face potentially steep fines: upper limit of €20 million or 4% or annual global turnover (based on the turnover for the preceding year) – whichever is higher.
Becoming GDPR compliant: Key steps taken by QX
As a company that processes a high volume of data for our clients, QX has always placed a premium on data privacy and security. Even before EU GDPR was adopted, we complied with the UK Data Protection Act and were ISO 27001:2015 and UK Cyber Essentials certified.
With GDPR, both data controllers and processors are expected to meet higher standards for data security and privacy. This requires creating a data inventory & mapping processes, revising written data processing agreements (DPAs), appointing a data protection officer (DPO), and putting a Data Protection Impact Assessment (DPIA) policy in place.
To fully comply with GDPR, we carried out the following activities:
- To address the challenge of analysing and addressing the requirements of GDPR across the company, we appointed a qualified DPO (Data Protection Officer) and formed a team of cross-functional data protection specialists. This team helps with transparency, and Privacy by Design, and conducting DPIAs.
- In accordance with BS 10012:2017 framework, our contracts with clients include Data Protection Agreements (DPA) with GDPR clauses as a standard – this helps ensure compliance with GDPR requirements. Our revised contracts are based on ICO (Information Commissioner’s Office) guidelines and include the below terms:
- We have adequate levels of data protection controls in place for the transfer and processing of data
- We only process personal data on documented instructions from our clients
- We have a process which anonymises and encrypts data
- We securely delete data after the required retention period/at the end of the contract
- We submit to audit and inspections, and work with our clients to ensure that both parties meet Article 28 obligations
- While we already use state-of-the-art servers in Europe for the storage of data, we have implemented additional security controls to ensure we as data controllers meet the ‘accountability principles’ under the GDPR requirements.
- We have set up an official 72-hour breach response plan and have put in place an internal audit program for all processes, to ensure compliance with rules set forth by the regulation.
- We carried out numerous workshops and training for staff at all levels so that all our employees understand how to handle personal data. Senior personnel were provided comprehensive training to ensure they maintain a DPIA for any new project the involves personal data right from the outset. Awareness training at the Board level ensured that our leadership understands QX’s obligations under GDPR.
As the first GDPR compliant F&A services company in India, we can assure our clients that we’ve taken all the necessary steps to safeguard personal information and collect & store only the minimum necessary data.
We are committed to supporting our clients’ efforts for GDPR compliance. For more information on how we can assist your compliance journeys, please write to us at firstname.lastname@example.org.