As a provider of IT outsourcing services, GDPR compliance is an important topic for us. It is also often a hugely important consideration for our mainly EU-based clients.
Data Protection Regulation (GDPR), which has been in force since May 25, 2018, aims to unify data protection for individuals in the European Union. In this article, we give you an overview of all the important changes and obligations you should be aware of if considering outsourcing software or IT projects.
IT services and software development projects often involve access to and the transfer of data and, as such, may be subject to GDPR compliance and considerations. Sometimes that means the IT specialists working on these projects, and their employers, must be EU-based. Or that GDPR-compliant systems and infrastructure need to be carefully set up.
For organisations working with IT outsourcing companies who often employ specialists based in and outside of the EU, it’s important to understand the GDPR rules that may restrict who works on their software development and other IT projects and in which roles or capacity.
This article aims to give you a broad understanding of the GDPR conditions that may influence your choice of IT outsourcing provider and how you work with them. We have also put together a comprehensive list of FAQs we have encountered on questions about IT service providers and software development outsourcing.
For more practical tips on protecting your organisation against potential GDPR breaches by an IT outsourcing partner, including a checklist for assessing their GDPR compliance, what to include in the service contract, how to monitor compliance with the contract and how to respond to a data breach should it happen, you can refer to this article:
None of the below should be considered legal advice, which we are not qualified to provide. It is an introductory overview only and you should seek qualified legal counsel on GDPR questions you may have on IT outsourcing topics.
Can We Help You With Your Next Software Development Project?
Flexible models to fit your needs!
A data protection reform was passed by the European Parliament in March 2014, before the full legal text of the General Data Protection Regulation (GDPR) replaced the outdated 1995 Data Protection Directive 95/46/EC. As of May 25, 2018, General Data Protection Regulation (GDPR) has applied to all companies that collect, store or process personal data of EU residents.
The General Data Protection Regulation (GDPR) states that companies should more strictly control how personal data is stored and used. This is to protect the right to privacy of every individual in the European Union. This means that IT infrastructure, software, systems and processes must be audited for applicable GDPR regulations. Here are some steps you can take as a company:
Any information relating to an identified or identifiable natural person is considered “Personal Data”. This includes name, telephone number, location data or online identifiers such as IP address and cookies. So-called “sensitive” personal data includes, for example, ethnic origin, political or religious beliefs, and memberships or genetic/biometric data. Any information that allows identification of the individual.
Information including employee data, customer data and other confidential and sometimes personal information is now often stored in a company’s internal IT systems. As such, contracted IT service providers often have access to this data. As soon as any access to the IT infrastructure is handed over to an external software development company, personal data such as employee or customer data is usually affected.
If the IT service company processes the data, it must comply with the obligations of the GDPR, even if this data is stored on its own servers or in the cloud. The framework of requirements and obligations to comply with the GDPR should be clarified in advance with IT service providers for software development. The most important questions to ask are:
The “responsible party” for ensuring GDPR compliance is the person, institution or organization that decides on the purpose and means of processing the personal data. Accordingly, it must be clarified whether there is commissioned processing or joint responsibility with the IT service provider.
In the case of commissioned processing, the service provider is considered a supporter and is considered an extended arm of the client. As such, the responsibility of GDPR compliance remains with the project sponsor..
An order processing agreement must now be drawn up. According to this, the commissioned IT service provider of the software development project may only use data for a specific purpose and in accordance with the client’s instructions. As soon as the service provider violates this, he assumes full responsibility.
In the event of an agreement on joint responsibility, the outsourcing service provider is obliged to comply with GDPR in the same way as the client commissioning the software development project. However, this also means that a legal basis must be created, as the sole consent of the client to the data processing is not sufficient. This is because the rights of the data subjects must also be taken into account by both sides, and it should also be made clear contractually who is responsible for what.
Regardless of whether there is commissioned processing or joint responsibility for the software development project, it is important to be aware that compliance is a joint responsibility. Accordingly, you should review your expertise as well as tools and processes within the organization and make changes based on findings.
It is important to know where the outsourcing service provider, and experts who will actually work on the project, are located. If the software development company is based in the EU, collaboration is straightforward. At a time when a lot of remote work is being done, responsible parties, contractors and off-site employees can be difficult to supervise, yet appropriate data protection and data security measures must be implemented. This applies to any employee who processes or stores data, regardless of the employee’s geographic location.
If the IT service provider (the recipient of the data) is located outside the EU, specific third country transfer requirements must be met. Once this is the case, the data may also be transferred to third countries outside the EU. However, these third countries must provide a level of data protection that is deemed sufficient by the European Commission. If this is not the case, sufficient data protection guarantees are required.
GDPR regulations should be taken into account during the planning phase of the project, and it will be helpful to have an experienced IT service provider aware of GDPR rules and potential risks as a partner. This is especially important in the context of fines of up to 20 million euros in the case of a serious GDPR violation.
This year, for example, the company “CAIXABANK, S.A.” were found to have violated Articles 6, 13 and 14 of the GDPR due to “transfer of personal data without consent” and had to pay a fine of a whopping 6 million euros.
Companies must take their data protection seriously and make their digital infrastructure GDPR-compliant.
By definition, the company needs effective consent from all data subjects for any kind of data transfer, storage, and processing. The entire handling of data should be discussed very carefully with professional legal advice taken. Data protection authorities are becoming increasingly strict and attentive when it comes to violations of the GDPR. To avoid mistakes in data protection even when outsourcing software development, you should only work with appropriate IT service providers with sufficient (legal) data protection expertise.
K&C - Creating Beautiful Technology Solutions For 20+ Years . Can We Be Your Competitive Edge?
Drop us a line to discuss your needs or next project