Topics:
Posted on May 10, 2018
Written By QX Global Group
We are proud to announce that QXFA is GDPR compliant; in fact, we are the first F&A services company in India to accomplish this!
On 26 April 2018 – a full month before the deadline – our delivery centres were certified to be in compliance with GDPR requirements, via the British Standards Institution’s 10012:2017 framework.
BS 10012 is a best practice framework for a personal information management system (PIMS). The framework sets down core requirements that organisations must consider when dealing with personal data related to individuals.
It is the only enforceable and certifiable PIMS framework that aligns with GDPR’s principles around managing personal data. In order to achieve the BS 10012 compliance certification, organisations need to demonstrate their ability to manage data privacy while collecting, storing, processing, retaining or disposing personal records related to individuals.
Organisations outsourcing processes that involve management of personal data expect that their partners can be trusted to maintain compliance with GDPR and other regulations.
The BS 10012:2017 certification is awarded after a thorough and independent third-party attestation of the maturity of the business’ information security systems. Certified compliance with BS 10012:2017 framework validates the effectiveness of the measures QX have taken to enable security, confidentiality, and availability of our customer data. At the same time, it enables us to demonstrate compliance with GDPR.
Following the audit and issue of the certificate, the BSI auditors had this to say:
“At this stage where most of the companies have just started their GDPR journey, such a mature and well drafted framework at QX is a proof of how ahead you are in the game. We had a difficult time finding a flaw in your system. The level of competency of people, the detailing of documentation and the involvement of people is commendable. It was a learning experience for us too and we wish you all the best for the future” – British Standards Institution
GDPR is not limited to the EU – any company that processes personal data of EU citizens falls within the purview of this law. For example, as an F&A outsourcing partner working with companies in the EU, we fall within the ‘data processor’ category, while many of our clients are deemed ‘data controllers’.
If your company shares personal data of EU citizens with an outsourcing partner, both your partner and your business are obligated to protect the data as per GDPR standards. Not only is your business liable for non-compliance as a data controller, but according to GDPR Article 28, you are also expected to conduct due diligence and only use processors that guarantee to comply with the regulations. Businesses that fail to comply could face potentially steep fines: upper limit of €20 million or 4% or annual global turnover (based on the turnover for the preceding year) – whichever is higher.
As a company that processes a high volume of data for our clients, QX has always placed a premium on data privacy and security. Even before EU GDPR was adopted, we complied with the UK Data Protection Act and were ISO 27001:2015 and UK Cyber Essentials certified.
With GDPR, both data controllers and processors are expected to meet higher standards for data security and privacy. This requires creating a data inventory & mapping processes, revising written data processing agreements (DPAs), appointing a data protection officer (DPO), and putting a Data Protection Impact Assessment (DPIA) policy in place.
As the first GDPR compliant F&A services company in India, we can assure our clients that we’ve taken all the necessary steps to safeguard personal information and collect & store only the minimum necessary data.
We are committed to supporting our clients’ efforts for GDPR compliance. For more information on how we can assist your compliance journeys, please contact us.
Originally published May 10, 2018 11:05:35, updated Feb 19 2021
Topics: