QX has always honoured its users’ right to data privacy and protection. We are the first outsourcing company in India to be GDPR compliant.
On 26 April 2018 QX Global Group became the first outsourcing company in India to become GDPR compliant via the British Standards Institution’s BS 10012:2017 framework. We were awarded the standard exactly a month before the deadline went into effect!
OUR COMMITMENT TO SECURITY AND REGULATORY COMPLIANCE
Being one of the UK’s leading suppliers of accounting, finance and accounts, payroll and recruitment process outsourcing services, we were committed to implementing the GDPR by 25 May 2018. Our team ensured that our clients and our businesses are prepared for GDPR before the deadline. The BS 10012:2017 compliance framework validates the measures we have taken to enable security, confidentiality, and availability of our customer data.
QX was audited by British Standards Institute (BSI), a service organisation that produces standards across a wide variety of industry sectors. And we are incredibly proud to have cleared the audit on 26 April 2018, a month before the deadline! The certificate is valid for 3 years.
The BSI auditors had this to say after the certification was issued:
“At this stage where most of the companies have just started their GDPR journey, such a mature and well drafted framework at QX is a proof of how ahead you are in the game. We had a difficult time finding a flaw in your system. The level of competency of people, the detailing of documentation and the involvement of people is commendable. It was a learning experience for us too and we wish you all the best for the future”
British Standards Institution
WHY IS A GDPR COMPLIANT OUTSOURCING PARTNER IMPORTANT FOR YOU?
GDPR impacts data controllers and data processors alike, making it imperative for outsourcing companies (as data processors) to ensure that their data processing activities are carried out in accordance with the data protection principles set out in the GDPR. Failing to get data protection right is likely to damage your reputation, your customer relationships and, ultimately, your finances.
GDPR article 28 “Requirements of a Data Processor” mandates that a data controller shall use only those processors that provide sufficient guarantees to implement appropriate technical and organisational measures.
WHAT IS BS 10012:2017 PERSONAL INFORMATION MANAGEMENT SYSTEM?
BS 10012 is a best practice structure for a PIMS that is aligned with the principles of the EU GDPR. It frames the core requirements organisations need to consider when collecting, storing, processing, retaining or disposing of personal records associated with individuals.
BS 10012:2017 is the only available code of conduct, developed by the British Standards Institution (BSI). By being compliant with BS 10012 it also implies compliance with rules set forth in the GDPR.
As the 1st GDPR compliant outsourcing company in India, we want our clients to be confident in knowing that we’ve taken all the necessary steps to not only keep their data secure but also to only collect and hold what is required.
We have appointed a Data Protection Officer (DPO) and formed a cross-functional team of data protection specialists to analyse and address the new requirements of GDPR. Among other tasks, this team helps with transparency, Privacy by Design, and conducting Data Protections Impact Assessments (DPIAs).
As required by the BS 10012: 2017 framework, we now offer all our accounting, finance and accounts, payroll and recruitment clients with Data Protection Agreements (DPA) with GDPR clauses as a standard. This enables QX and its clients to comply with GDPR requirements. All our revised written contracts are based on ICO's (Information Commissioner’s Office) guidelines, which include these terms:
We have adequate levels of data protection controls in place for the transfer and processing of data
We only process personal data on documented instructions from our clients
We have a process which anonymises and encrypts data
We securely delete data after the required retention period /at the end of the contract
We submit to independent, third-party audit and inspections, and work with our clients to ensure we are both meeting Article 28 obligations
While we already use state-of-the-art servers in Europe for the storage of data, we have implemented additional security controls to ensure we as data controllers meet the ‘accountability principles’ under the GDPR requirements.
We have set up an official 36-hour, breach response plan that adheres with GDPR, and have an internal audit program for all processes to ensure QX is always in compliance with the rules set forth by the regulation.
We have conducted numerous awareness workshops so all employees know how to handle personal data here at QX. All senior level staff has now undergone training to ensure they maintain a DPIA at the early stages of any project that involves personal data. We have also conducted awareness training at our Board level to ensure our leadership teams are well aware of QX’s obligations under GDPR.
WHAT YOU SHOULD KNOW ABOUT GDPR
Here’s some useful resources that we’d like to share with you