Are you currently outsourcing any of your transaction tax functions to an unrelated third party? If so, it’s important to note your data has the real potential of making it into the public domain. That is, of course, if you don’t stay on top of things from a data security perspective.
When choosing a outsource provider, you will want to first ensure the provider can support your company’s security policies. A few examples of such policies would be data security, disaster/recovery, and incident response. Also, try to remember the devil is always in the details, so make sure you ask as many questions as possible during your assessment. Everything should be in-bounds, like data access, data retention periods, password requirements, timeout periods, communication, etc.
Second, you will want to ensure your data is stored in a safe environment. Most outsource providers tend to utilize a co-location facility for this, but not all co-location facilities are the same. Make sure their facility has the proper certifications in place and they are up-to-date. For instance, many co-location facilities will boast they are SSAE 16 certified. This is typically a good sign, provided the certification is up-to-date and assessed for renewal at least every year or two. A few other important attributes of a co-location facility include a manned security checkpoint, multiple card reader access points, and video surveillance.
Third, when transferring your data between your company and a third-party, you will want to make sure the data is encrypted during transit. This can be accomplished by utilizing a secure FTP server. Although there are several different file transfer protocols and encryption levels to choose from, your IT department should be able to provide the ones that are supported for your company.
The notion of outsourcing strategic projects and/or reoccurring processes is becoming much more prevalent within the corporate tax department. So, when or if your company decides to follow suit, please make sure you ask the right questions and gather the right information on data security prior to signing a contract.