GDPR and its Impact on Outsourcing

Josephine Mariñas

•

August 18, 2023

With only weeks left before the effectivity date of the GDPR, businesses in Europe and across the globe are preparing to cater to the new EU regulation. As a global service provider, the outsourcing industry is one of the businesses that will be directly affected, especially IT outsourcing providers as they are more exposed to information security.

What is the GDPR?

The General Data Protection Regulation (GDPR) is a regulation on data protection and privacy within all members of the European Union (EU). It was approved and adopted by the EU on April 26, 2016, and will take effect on May 25, 2018 after a two-year transition.

The GDPR aims to strengthen data protection and privacy by giving European citizens and residents primary control over their personal data and to simplify the regulatory environment by unifying data protection for all EU citizens.

Key terms and what they mean

Data Controllers are companies or organisations controlling personal data.
Data Processors are companies or organisations processing personal data based on the data controller’s directives and in compliance with the GDPR regulations.
Data Subjects are the citizens and residents within the EU.

What constitutes as personal data?

Any information that can be used to identify a person. Examples include a person’s name, email address, photo, bank details, medical information, computer IP address, and even social media post.

Key changes you should know:

Increased Territorial Scope
The regulation has extended the scope outside of the EU and it now also applies to companies collecting and processing data from individuals within the Union.
Penalties
Fines are applicable to both controller and processor and can result to fines in €20 million ($25 million) or 4% of a company’s previous global annual revenue (whichever is greater).
Consent
Terms and conditions must now be given in easy to understand and accessible forms attached with the purpose for data processing.

Who are affected?

Individuals and organisations located within the EU
Organisations located outside the EU providing services, and collecting and processing data from individuals within the EU

For citizens and consumers, this secures their personal data online and entitles them to certain rights such as the right to data erasure, right to access of information regarding their data, and right to be notified of a data breach, among others. Full list and information of data subjects’ rights can be found on the GDPR page.

On the other hand, businesses face the issues of giving citizens control over their complex personal data and ensuring thorough data security upon acquiring and deletion is a complicated technical and HR issue. Organisations are also at risk of huge fines if they do not comply.

So how does this affect outsourcing?

According to the 1Q18 EMEA ISG Index released by the Information Services Group (ISG), preparations of European enterprises for the GDPR resulted to a slump in the first quarter in the outsourcing market in Europe, Middle East and Africa (EMEA).

ISG EMEA partner and president Steve Hall commented:

“There is a degree of uncertainty in the European market that continues to depress demand for outsourcing. The focus on preparations for the sweeping GDPR data-privacy regulation and the impact this will have on business relationships is front of mind for many organisations and has led to a shift in priorities. The recent demise of Carillion and the financial uncertainty of some high-profile outsourcing companies has been extensively reported and has added a new degree of caution in the market.”

Hall also added:

“While traditional sourcing may have a bumpy ride in coming quarters, the trend toward as-a-service will continue to accelerate across Europe through 2018.”

In terms of outsourcing practices, there will be no major direct impact on the processes as outsourcing firms already practice privacy and security processes. Outsourcing firms need only to further strengthen security and privacy and align them with the GDPR guidelines. What will likely change is the relationship between the company and the outsourcing provider.

An example would be article 28 of the GDPR which states that the Controller must impose to its Processor a list of obligations to follow such as imposing technical and organisational procedures on the processor, increasing communication between the two parties, and determining which party bears the risk upon non-compliance of an obligation.

Compliance for both company and outsourcing firm is stricter, thus both should work on protecting each others’ liability. Outsourcing firms will have to follow the regulations set by their clients in accordance with the GDPR guidelines and strengthen their security procedures to ensure there will be no data breach.

Companies and outsourcing firms should have already started to assess the impact of the GDPR and implement the necessary changes before its implementation on May 25.

To ensure compliance, here are steps outsourcing providers can take to prepare for the GDPR:

Understand the GDPR
It is a must that any outsourcing provider know what the GDPR is, and how it affects your business. Key people in the IT outsourcing industry must understand its impact immediately and identify areas or processes that need changing in compliance with the regulation. It is also important to note that raising GDPR awareness and training the whole organisation is crucial especially for large companies that have multiple channels for storing and acquiring user data.
Review existing processes and technologies
Examining existing processes will help identify where new procedures and specialists are needed to comply with the GDPR. In addition, evaluating your current technology will help determine technical requirements to cater to data security, data auditing, and data privacy needs. Identifying and dealing with blind spots is a priority.
Create a data register
Creating a data register will help document your process of complying. As part of the GDPR, European countries will each have a Data Protection Association (DPA) that will enforce the GDPR and monitor your compliance. In case of a breach, you must be able to provide a data register to the DPA to show your progress.
Assess and document risks
It is important for IT outsourcing companies to document a roadmap ensuring security level is adequate. This includes encrypting and pseudonymisation of user data for further security. To ensure security, IT outsourcing providers must apply confidentiality, integrity, and availability of data processing systems and services.
Continue to test and assess security
After finalizing and establishing new processes, technology, and personnel in compliance with the GDPR, regular assessment and testing of all aforementioned areas must be done to ensure effectivity. Insights gathered must be used to improve. This will prepare your outsourcing firm in case of any breach.