The GDPR-ready practice: Referring and outsourcing
Referrals and outsourcing have something in common – they both involve sharing client information with someone who does not work for your organisation. It is easy to overlook how GDPR affects sharing information with third parties.
This is the final article in a three-part series on keeping your accounting practice GDPR compliant. To view the whole series click here.
Many practices use referrals as a key way to get new clients. If you are part of a referral network, you should take care to ensure you are not sharing personal data or client information in a way the client does not fully expect.
Recently, a member of one of our GDPR support groups mentioned that their new accountant had shared their details with a third-party expert who had phoned them and obviously knew all about their financial affairs.
Our member was not expecting their information to be shared in this way and sacked their new accountant as a result. They could also have made a complaint to the Information Commissioner about the unauthorised sharing of personal data.
As the data controller, your job is to secure personal data, not to share it. If you want to share it with an external organisation who may want to sell your client additional services, you should seek consent to share information and make it plain what information you want to share and with whom.
Similarly, if you receive inbound referrals from an individual or network you should make sure you are not receiving information that your contact has no right to be sharing. If you hold it or use it, you also have a problem under GDPR. You cannot blame your referral source: it is your job to check what their referral practice is.
Whilst a good referral always comes with a background briefing to contextualise why people should be introduced to each other, in GDPR terms the less personal information shared the better since this is often done by email. If you have an active referral network then setting up a more secure way to exchange information (where the client consents) is a good idea. You must follow your own professional standards and comply with GDPR.
Referral marketing is always going to be a legitimate part of growing a professional practice. But GDPR means your arrangements need to be transparent and secure. And your client needs to expect contact from a specific organisation or individual – not to be taken by surprise.
Outsourcing and GDPR
If you are paying people who are not employed by you to undertake work then you are outsourcing, whether that is one self-employed bookkeeper, a virtual assistant, or an entire organisation. If external people have access to personal data then you need to make sure you are doing this in a GDPR-compliant way.
You should conduct an audit of which people/organisations access your systems and information and what they have access to. It is easy to forget the people who service your organisation and focus solely on associates and sub-contractors. But you need to check all of them.
Examples of external contractors who access personal data this include:
- Web designers
- Marketing teams
- Event managers
- Virtual assistants and diary managers
- HR support and advice
- External compliance teams
All of these people, along with your sub-contractors and associates, need to be properly contracted for GDPR and given written instructions on what they may do with the data they access. Your onboarding and contracting needs to deal with this expressly.
You need to look at the software platforms and systems you give access to.
- Who has login access?
- Do they still need it? (if not turn it off)
- What level of rights/authority do they have?
- Can they do their work with a lower level of access?
Many organisations simply give all levels of access to anyone working on shared platforms. Others forget to turn people off when they are no longer working with you. When onboarding or exiting a contractor, you need to make sure you are giving the minimum access consistent with their role for the minimum period of time.
Sub-contracting and associates
You need to go through a very similar process for sub-contracting and using associates to deliver work to your clients.
If the sub-contractor is not based in the UK, then you may also have to deal with the geographic issues raised in this earlier article.
Will disclosure make the clients go straight to the sub-contractors?
There is concern that letting your client know that someone who is not your employee is working on their account will mean the client will cut out your firm and go straight to them.
If all you are doing is to pass the work through and you are not adding any value to the client this is a real risk. However, if you are then adding value to the sub-contractors work by using your own professional skills you will need to make this clear.
Your strategy for sub-contracting should include an analysis of where you add value and where sub-contracting is reducing cost to the client. You can then present this to your client as “I always get x to do the basic work and get it back to me. This saves you money and I can then focus on making sure the work is correct and we focus on giving you the best advice/doing what we do best”.
You will also need to contract properly with your client and your sub-contractors and associates and make sure you have the appropriate ‘restraints’. Whilst these are not always easy to enforce, they can provide a disincentive to blatant poaching.
If you control the access to data and the logins that your sub-contractor uses, then you can take reasonable steps to ensure not only the security of your client’s data but also your business.
Treat data as if it were cash
If all of this is making you feel a bit perplexed then it may help to start thinking about personal data as if it were cash.
Your client has lent you some cash to take care of.
- Would you lend it out to someone else without them knowing about it?
- Would you leave it lying around where anyone could pick it up?
- Would you use it for your benefit without asking the client?
When it comes to data the boundaries can blur. Somehow emailing a contact with information does not feel the same as handing them our client’s money. And leaving client funds in cash in an unattended and unlocked room does not feel the same as leaving client information in an unsecured database. You would never take your client’s money and use it to fund your own practice, but taking their data to make money out of referrals or list exchanges doesn’t feel as inappropriate.
Ultimately GDPR is about trust, transparency and security. This is something the professions should be able to integrate at the top level without much difficulty. With the right systems and contracts and policies, you can make a great start to maintaining this for the personal data you hold. It does not have to be complicated, but it does have to be clear and thorough.
You might also be interested in
Annabel co-founded Irenicon in 1980 and during the last 30+ years, managed to juggle being a mother to her two children with advising clients on everything to do with the tough side of HR. From flexible working and parental leave to discrimination and TUPE - she loves the