Myths are circulating about outsourcing and GDPR. Here are the facts.

If an outsourcing provider is accessing your servers from India then this, on its own, does NOT mean ‘GDPR compliance’.

Without other security measures and protocols in place then the Information Commissioner’s Office (ICO) could find what your practice is doing is illegal.

The ICO states that a restricted transfer takes place if “you are initiating and agreeing to send personal data, or make it accessible, to a receiver who is located in a country outside the UK” – note the part marked in bold.

You must also be aware that most accounting firms handle ‘special category’ personal data – such as healthcare invoices, records of union fees paid, or political/religious donations. So, if your outsourcer experiences a data breach and your controls are inadequate, you have a big problem.

So, what do you need to make sure is in place?

  • Firstly, there needs to be appropriate risk assessment of, and contracts in place, with the overseas legal entity.
  • Secondly, your client engagement letter needs to reflect the possibility of transfer.
  • Finally, the data being transferred needs to be treated securely, both on your network and on the network of anyone accessing it.

At AdvanceTrack we work with a top legal firm to ensure that we have the correct contractual measures in place. You contract with our UK legal entity and we handle the transfer to India.

We have also made considerable investment in security measures and controls around use of personal information, and have been assessed on this by numerous top accounting firms.

Additionally, we are certified by BSI against ISO27001:2022 Information Security and ISO27701/BS10012 Personal Information Management. More detail on our security can be found by clicking here.

AdvanceTrack give data protection the investment in time and resources that it needs. We need to sleep soundly at night – and so do you. Which is why data security and protocols receive our highest priority.

If you would like to speak to us about outsourcing and offshoring, please click here.

What does ‘risk’ mean to your accounting practice?

Is it the risk that clients will leave in droves, or (as sometimes/often happens) they hang around without paying what they should for services?

Perhaps money laundering and ‘dodgy’ clients is a key risk for you. Or GDPR. Or a key member of staff leaving.

I wrote a post on LinkedIn last week about SVB’s collapse and the contagion effect on other banks but, as important, its potential to leave the software industry in dire financial straits – which could have had a huge knock-on effect to practitioners.

Accountants have to understand, embrace and mitigate lots of risk. And so, while here at AdvanceTrack we can extol the virtues of our service, we understand very well that practices interested in working with us have big questions around the ‘risks’ associated with outsourcing and offshoring.

As an accountant myself (and founder/MD of this business), I am acutely aware of the risks that primarily concern them: business continuity; IT security; and data privacy. They almost feel like the big, first, hurdle that practice leaders to need clear before consideration is made to workflows and benefits.

For us, risk management is a fundamental to how we serve practices and, by definition, their clients. AdvanceTrack is certified through numerous management system and security standards. We are among the first ten organisations globally to attain the updated information security standard ISO/IEC 27001:2022 (read the new case study here). We have FAQs on GDPR and data security.

There is another layer to this. Firstly, you need to be able to sleep at night, knowing that your practice is working well, doing the right things and is sustainable. And so do we too. For us that means appreciating that ‘safe and secure’ on one day may not be exactly the same as the next day. We constantly test our systems and ways of working – and our certifications are externally audited every year.

In some ways, SVB showed the best and worst of risk management – its collapse could have perhaps been averted earlier, while the amount of software industry capital tied up in the organisation should have set alarm bells ringing. But the contagion effect has been fended off, with protocols and actions put in place post-‘Credit Crunch’.

Ultimately, there is only so much that can be controlled. From AdvanceTrack’s perspective, we aim as high as possible.

This FAQ looks into the detail behind data security and the UK leaving the EU … what impact has Brexit had?

When Brexit ‘officially happened’ in legal terms, the ‘old’ EU laws switched over into English law – that’s what initially happened (in other words, there was no change to the rules). It’s enacted within the Data Protection Act 2018.

However, there are changes that need be made to contracts to represent the switch. We’re currently transitioning contracts across. The Data Protection Act will be referred to in contracts as opposed to GDPR – will require all of us to revisit our compliance processes and update for that.

There are no major changes at this point in time – but changes will come and contracts, processes and ways of working will need checking and revising.

So, what are the changes for us? Well, for AdvanceTrack to work with EU businesses then it’s ‘a different continent’, even for the Republic of Ireland. The reality is, we would not stray too far from GDPR anyway – it’s not in our interests to go backwards on privacy and security, we will always move forward.

It is worth noting that there are situations where an outsourced team in another country (for us, India), access data in the UK. In that instance the data’s ‘sovereignty’ doesn’t change, but it is still being processed abroad, which must be considered from a legislative perspective.

Alternatively, some outsourcers might say: ‘You log onto our servers but don’t worry about British data law.” Unfortunately that’s not correct. There’s case law that states you can’t avoid GDPR (or UK rules) even if data doesn’t ‘move’. Accountants should be very wary of the permutations when discussing terms and details with outsourcers.

Ultimately we will be compliant with both GDPR and UK data rules – see our multiple standards, which validate and assure this (click here for more).

If you’ve read our articles on GDPR and security, and would like to talk to us in more detail, don’t hesitate to get in touch by clicking here.

Like its clients, AdvanceTrack has enjoyed another busy month.

For starters, we held our second annual AdvanceTrack Conference. The event, held in central London, brought together more than 100 practitioners and technology specialists to discuss key issues and opportunities for the profession.

We covered the ‘business growth accountant’ in a lively session with Paul Shrimpling, while Martin King-Turner took us through the latest developments on that dreaded topic: GDPR.

The Profitable Firm’s Karen Reyburn talked about the four ‘make or break’ areas for accountancy marketing, while BlueHub’s Matt Flanagan pointed firms to where they should currently be on their MTD journey.

Vipul Sheth, AdvanceTrack MD, said the event illustrated to accountants the importance of building client relationships by having more up-to-date information about them, particularly on the bookkeeping front.

“I’m driving home the message about our investment in technology to run an efficient and reliable service to our client firms, and an increasing focus on building a scalable bookkeeping service,” said Sheth.

“Remember, with Making Tax Digital accountants are going to need reliable financials and do it for hundreds of thousands of clients.”

Sheth added: “What you really need to consider is you have a set of skills that can change clients’ lives. You must understand the finances, their industry, and the whole thing put together – that’s really your role. If you understand that then we can help you do more of that, and you’ll become more profitable and go home earlier.”

It’s a question that not many accountants are asking, but if neglected, it’s something that can have disastrous consequences.

It’s not enough anymore to sit there and say “hackers only target hard cash, like banks and credit cards” because whilst they may still be true to some extent, let’s look at all the data accountants tend to have: The financial data of your clients’ businesses.

That’s your clients’ livelihood and hackers have caught on this. They’ve realised that they can monetise all kinds of data, especially sensitive data belonging to your clients’, which means we have some catching up to do to make sure this is all protected!

We’ve already covered ways to stop using email to send sensitive information, and now it’s time to look at how you can continue to improve your firm’s internal security.

Look at who has access, and to what

When you’re sending sensitive documents to someone, be it through Dropbox, Google Drive or a client portal, you of course need to give your client access to then view that information.

That’s great, but how do you continually manage this? If access management is left unchecked, you could find that clients have access to areas they no longer need access to, or worse, they’re not entitled to have access to, but because it was left unchecked, they still do.

The problem here is that you need to consistently make sure that your clients only have access to the things they need access to, so that they don’t have the wrong privileges when they don’t (or no longer) need them. Better yet, if someone needs a higher level of access, it’s always a great idea to communicate any special or higher risks associated with that, so that they are educated on the policies and procedures you have in place to protect their accounts and their data.

Check your passwords

When talking about security, one of the most popular questions I’ve seen is “how often do you change your password?” But a more pertinent question would be “how many accounts do you have that re-use the same password?” The answer always surprises me.

Often, password re-use is one of the biggest security issues people have. Do you remember the LinkedIn hack of 2012? Hundreds of millions of users had their account passwords breached, but it presented a bigger problem for those who were using that password for other systems like Dropbox, Facebook and Outlook. Worse, a lot of the times, the hacker succeeded because of this.

Because of the beauty of password managers like LastPass, you don’t necessarily need to remember all your passwords, which gives you the opportunity to make them more complex without the pressure of potentially forgetting which letter was capitalised, or which letter was substituted for a number. A trusted system to manage all of your passwords gives you far more security that before.

Also, with two-factor authentication, you can add an extra layer of security to your password. This has become much more prominent with companies like Google and even Xero. Because banks have been using it for a long time, we’ve become much more accustomed to using two-factor authentication on a daily basis.

Another thing to be particularly careful of is usernames and passwords of past employees. It’s highly recommended that you delete these and change passwords so that any past employees, disgruntled or otherwise, aren’t tempted to log in again remotely.

Bringing your own device to work

Ever since the iPhone first launched, the way we work has been transformed. Instead of bringing your own laptop to work, people are now bringing what is practically a computer in their pocket!

The problem with this is if your personal device has got malware on it (which you may not be aware of in the first instance), as soon as you connect to the company wi-fi, you’re at risk of transferring that malware to everyone else. That’s the servers, the files, the emails, everything.

Now I’m not saying you need to implement a rule where people have to leave their phones at home, but it’s worth having the conversation with your employees so that they’re aware of the risks and the steps they can take to make sure their own devices are protected.

Give everyone training

Everything I’ve said so far ties back to training, and make sure you have firm-wide policies and training on security. That way you’re making sure your entire team is on the same page when it comes to how to handle data, how to keep data secure and what steps to take if things go wrong.

Why risk the vulnerability of data, when there are tools and support out there to keep your firm secure?

AdvanceTrack has agreed with its ISO auditor (checking compliance with best practice Information Security Standard ISO 27001) the plan for compliance.

For Sheth, one of the key head-scratching moments came when considering the data received by its accountancy clients, which includes a mix of data. “When we get information from a firm of accountants, it includes personally and non-personally identifiable data… so what do you do to secure it?” he says.

Rather than try and split the information apart, AdvanceTrack will be encrypting everything in its database. “It’s the only way for us all to be satisfied; AdvanceTrack and our clients,” says Sheth.

The customers won’t notice anything, Sheth adds. AdvanceTrack has rebuilt its platform to ensure best practice data management and processing.

“We describe it as being like a jar full of cookies, which we put barbed wire around,” he says. “But get through that and the cookies won’t taste like cookies. It’s about the security around the data, but importantly also the data itself.”

 

With technology-driven change accelerating, Kevin Reed looks past the acronyms to set out the state of play on key tech topics of interest at the moment – and what you need to know to keep up

Accountants know that getting a handle on the latest tech acronyms is just the start of the learning process. These strangely-titled pieces of legislation or ‘next new thing’ will impact on their clients – or how they serve them. We take a look at four of the key topics.

Making Tax Digital (MTD)

Many of you will be weary of the sight of the acronym ‘MTD’, but it’s worth keeping track of key dates and developments. VAT-registered businesses over the VAT threshold will file quarterly returns from April 2019, while it is likely that those with income over £85,000 will need to file under the regime from April 2020. Effectively, HM Revenue & Customs is looking to digitise the filing system and gain access to information on a more regular basis.

Understanding which clients fall into which ‘box’, as far as MTD is concerned, is a priority for accountants. Setting a plan for moving away from using HMRC’s systems and taking on a commercial solution is another crucial step, as the taxman phases out its own delivery platform. Educating clients to this change, and through the process, must also be carefully considered.

There is concern about whether HMRC’s £2.1bn transformation plan (to become a digital provider of public services, while reducing costs) is feasible, fears that have again been raised following the publication of a report by the Public Accounts Committee.

Brexit is likely to see a 15% increase in projects undertaken by the taxman – on top of 250 outlined as part of its transformation plan. HMRC is now ‘re-prioritising’ its workload and will reveal more by the end of 2017/18 as to the likely impact.

However, as the committee is putting pressure on HMRC to manage the so-called SME ‘tax gap’, it seems unlikely that MTD will disappear off the radar – but it does raise the risk that a shift in focus away from digital transformation onto other projects will adversely affect any technology-focused changes. And a cautionary note: HMRC told the committee that it expects to work with tax advisers to encourage their clients’ compliance.

Accounting app ‘ecosystems’

Perhaps the most intriguing technology development in recent times has been that of the ‘app’, and associated ‘app market’. Think Apple Store or Google Play Store, and the multitude of tools and games that has been borne or reincarnated through these platforms.

Now we have accounting technology providers enabling accessibility and integration in the cloud. Xero, Quickbooks and Sage have followed the ‘app’ approach in the small business space, and extended it out into practice management. Their online app stores offer a multitude of add-ons. For accountants in practice, this development opens up lots of opportunities – and issues to be resolved.

First, is it worth making the leap from your current technology platform? Some practitioners will work with ‘best-of-breed’ software and go through the painful process of extracting data from one tool to another. Others will used integrated suites of products – but some parts of the suite may not be the best tool for that particular practice. Again, this may require extra software purchases and fiddly data transfers.

Carl Reader, director at Bristol accountants d&t, says the ‘platform and apps’ approach is tempting in comparison to the alternatives. “Traditional integrated accounting platforms are quite clunky, particularly as there’s no such thing as the ‘stereotypical accounting practice’ anymore,” he explains.

It is worth noting that the new cloud-based platforms are also expanding their remit, and offering deeper functionality. However, unlike the traditional integrated platforms, you have more flexibility to opt out and instead use another bolt-on app if you prefer – without a painful manual integration. A major concern, in a world where the app market is expanding rapidly, is knowing which of the add-on apps are right for your practice. “The options seem to increase on a daily basis and it is almost impossible to keep on top of what is happening,” according to Blick Rothenberg partner Bobby Lane. The practice has worked with a consultant who helps constantly monitor the latest developments in the accounting and business app space. But, as previously mentioned, the platform providers are developing their service further, which Lane believes will remove much of the need for picking and choosing add-ons.

“There seemed to be an add-on developed for every area and businesses believed that they had to have everything,” he says. “The reality is that when you break down the actual requirements of the business, most of what they need can be carried out with the basic platforms. These will continue to develop and replace the need to add on.”

PSD2 (aka Open Banking)

This is the acronym that has probably had the least traction in the media.

It sounds like a droid from the new Star Wars movie – it actually stands for Second Payment Services Directive. While neither the acronym or the full title will mean that much to anyone, you may have heard reference to its alternative moniker: Open Banking.

Put simply, banks will have to make available, upon your request, direct feeds of account information to third parties. These third parties will provide a range of financial and corporate services based on you allowing them access to your data.

Clearly, some of these products and services won’t just be for the consumer – corporate and business-focused offerings will also become available. Tim Fouracre, founder of Clear Books, has launched Countingup. This app will enable small businesses to open a current account via their smartphone, while undertaking your accounting. It will be able to submit VAT returns, generate a P&L, create invoices and do the bookkeeping. He says it’s no surprise that the banks are “dragging their heels” on being ready for Open Banking (it’s believed five of the nine big banks missed the 13 January kick-off date).

“It’s no surprise HSBC et al are dragging their heels into Open Banking. It’s going to kill them,” he says. “We already know their point of contact with customers is on the decline as the branch network erodes away. But as the banks move to a predominantly online model, Open Banking is about to remove their point of contact with customers in the digital world too.”

Blick Rothenberg partner Bobby Lane urges patience – as far as practitioners are concerned. He believes the new regime “will not make a huge difference” to dealings with clients in the short term. He does predict new services to arise around the lending decision-making process for SMEs, which may influence how practices work with clients in finance-raising. Accountants serving clients in the fintech space must also be aware of the opportunities presented by Open Banking.

“At the current time, the role of the accountant will be more education-based, letting clients know what is happening and what this will mean for them,” says Lane.

GDPR

Like MTD, GDPR is an acronym that – by casting an eye over it – will automatically make you feel weary, anxious, or both.

We broached the thorny topic in our April 2017 issue of InsideOutsourcing – but it’s still well worthy of a reprise.

The UK’s Data Protection Act 1998 will be superseded by the EU-driven legislation. The new law intends to bring up to date provisions to deal with the explosion of personal and business data – along with how it is used, stored and deleted (or not). GDPR is enforceable from 25 May.

Personal data will require stronger consent from the individual for that information’s use and storage, the ‘right to be forgotten’. Some organisations will have to appoint a ‘data protection officer’ in certain circumstances. Encryption of personal data is expected to be undertaken. Accounting practices hold much sensitive personal and corporate data. The misuse, or lack of robust measures to protect that data will see much larger fines issued by the Information Commissioner’s Office than previously.

This year is going to be a very busy, but very exciting, time for AdvanceTrack – and we’d like you to join us

While companies that provide technology-driven solutions have a reputation for not always engaging with their customers, we put customer service and understanding your requirements as top priority.

We’re delighted, therefore, to be able to announce two opportunities for you to meet with us and discuss where you’re heading, and hopefully how we can help you on that journey.

First off, we have the Quickbooks Connect show, held across 27 and 28 February in London’s Printworks.

This year’s agenda covers the most relevant issues facing practices: from marketing (harnessing social media and building a digital brand) through to moving your practice and clients to the cloud.

“We’re taking part to meet with forward-thinking practices, many of whom will already be clients of ours and hopefully some new faces as well,” says Vipul Sheth, founder and MD of AdvanceTrack. Sheth expects conversations to revolve around Making Tax Digital (see this month’s feature spread for more). He foresees many practices wanting a ‘solution’ to MTD, and a big part of that will involve the use of efficient cloud-based bookkeeping among other things.

More importantly, making this transition will put client information into practices’ hands that they can leverage to provide a better service. “The truth is that we speak about this a lot,” says Sheth. “If practices see this as ‘stopping clients getting tax penalties’ then it’s a client/adviser conversation about price. But good conversations with clients is about helping them run their business. Then clients look at the price and say ‘this is what I pay my accountant for’.”

Next we have AdvanceTrack’s own conference, following on from last year’s successful inaugural event at America Square with 70 people in attendance. The invitation-only event will see respected consultant Paul Shrimpling set out the process by which you deliver higher-value services to clients. The conference will then follow workshop-style sessions that provide more detail and insight into making that transition.

The conference will take place a few days after GDPR comes into effect – and AdvanceTrack will outline what we’ve done to make sure we are a compliant organisation.