The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA.
IT systems, infrastructure, databases and software development and maintenance can involve the handling and transfer of the kinds of data covered by GDPR regulations. As such, organisations whose IT functions have GDPR implications must be aware of the rules and procedures that must be adhered to.
Organisations that work with third party IT outsourcing providers who staff IT functions GDPR has relevance to have the additional responsibility of ensuring their provider executes work in a way that is GDPR compliant. The consequences of not doing so can be extremely serious.
K&C - Creating Beautiful Technology Solutions For 20+ Years . Can We Be Your Competitive Edge?
Drop us a line to discuss your needs or next project
These examples demonstrate the importance of carefully assessing the GDPR compliance of your IT outsourcing partner and implementing appropriate safeguards to protect personal data in your IT outsourcing arrangements, regardless of where you are located.
As an end client of an IT outsourcing provider, there are several GDPR considerations you should keep in mind and be prepared for:
You can learn more about GDPR in the context of IT outsourcing by referring to this article which covers the main FAQs around the topic –
Here is a checklist of things that an organization should look for in an IT outsourcing provider that will handle, process, or have access to data regulated by the General Data Protection Regulation (GDPR):
The IT outsourcing provider should be able to demonstrate that it is GDPR compliant and has implemented appropriate measures to protect personal data. This may include data protection by design and by default, data security measures, and data breaches.
The IT outsourcing provider should have a written agreement in place that sets out the roles and responsibilities of each party with respect to GDPR compliance. This agreement should include clauses on data protection by design and by default, data security measures, and data breaches.
If the processing of personal data is the main business activity of the IT outsourcing provider, it may be required to appoint a DPO to oversee GDPR compliance.
The IT outsourcing provider should respect the rights of data subjects, such as the right to access, rectify, erase, or restrict the processing of their personal data.
If the IT outsourcing provider is transferring personal data outside the European Union (EU) or the European Economic Area (EEA), it should ensure that appropriate safeguards are in place to protect the data, such as standard data protection clauses or binding corporate rules.
You should conduct a DPIA to identify and mitigate any potential risks to the rights and freedoms of individuals arising from the processing of personal data in your IT outsourcing arrangements.
Can We Help You With Your Next Software Development Project?
Flexible models to fit your needs!
No, outsourced specialists located outside the European Union (EU) can work on IT infrastructure and software development projects that must comply with the General Data Protection Regulation (GDPR). However, organisations that outsource their IT functions to a third-party service provider outside of the European Union (EU) are required to ensure that the same level of data protection is applied to the personal data as would be required if the processing were carried out within the EU.
In order to achieve GDPR compliance when outsourcing IT functions outside of the EU, organizations should consider the following factors:
Data Protection Agreement: Organisations should have a written contract in place with the third-party service provider that includes provisions on data protection and security. This should include any requirements for the service provider to implement appropriate technical and organisational measures to protect personal data.
Data Transfer Mechanisms: Organisations should ensure that they have a valid legal mechanism in place to transfer personal data outside of the EU, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).
Data Processing Location: Organisations should ensure that personal data is only processed in countries that provide an adequate level of data protection. The EU has determined that certain countries provide an adequate level of protection, while others do not.
Data Security: Organisations should ensure that the third-party service provider has appropriate technical and organisational measures in place to protect personal data from unauthorized access, use, or disclosure. This may include measures such as encryption and secure data storage.
Data Breaches: Organisations should have a plan in place for responding to data breaches, including procedures for notification and reporting to the appropriate authorities.
Supervisory Authority: Organizations should be prepared to cooperate with the relevant supervisory authority and provide any information required for the purpose of ensuring compliance with the GDPR.
By keeping these additional considerations in mind, as well as those already covered for any IT outsourcing partner, regardless of whether IT functions are located in the EU, organisations can ensure that their IT outsourcing arrangements with non-EU providers are GDPR compliant.
The above considerations should also be formalised in an IT outsourcing contract which involves the implementation of GDPR requirements. Your contract will, in most cases:
It’s important to note that these are just a few of the key considerations when it comes to implementing GDPR requirements in an IT outsourcing contract. It’s always a good idea to seek legal advice to ensure that the contract is compliant with all relevant data protection regulations that apply to your particular organisation and the IT functions being outsourced to a third-party provider.
Of course, with the end client ultimately responsible for the GDPR compliance of third-party contractors, contractually defined requirements and processes must be monitored to ensure their ongoing compliance.
Regular reviews and audits should be conducted of the service provider’s data protection policies and procedures, data security measures, data processing activities, data transfer mechanisms, data breach response plan, and ability to assist with the exercise of data subject rights.
Consistent monitoring of the service provider’s GDPR compliance can help identify any potential compliance issues and take appropriate action to address them.
In the event of regular reviews and audits of the service provider’s ongoing GDPR compliance revealing breaches of the contract, how should those be dealt with? You should always take qualified legal advice in such as case. However, some general best practice actions that would be expected to be taken if a breach is identified are:
Time is of the essence when it comes to dealing with a GDPR breach. It’s important to identify and address the breach as soon as possible in order to minimize any potential harm to data subjects.
Conduct a thorough investigation to determine the cause of the breach and the extent of the damage. This may involve working with the service provider to identify the root cause of the breach and take steps to prevent it from happening again.
Organisations are required to notify the relevant supervisory authority of a GDPR breach without undue delay and, where feasible, not later than 72 hours after becoming aware of it. The notification should include details of the nature of the breach, the categories and approximate number of data subjects affected, and the measures taken or proposed to be taken to address the breach.
Organisations should cooperate fully with the relevant supervisory authority during any investigation into a GDPR breach. This may include providing any requested information or assistance.
Organisations may also be required to notify affected data subjects of the breach, depending on the nature and severity of the breach. This should be done without undue delay and in a clear and transparent manner.
It’s important to review and update policies and procedures in the wake of a GDPR breach to ensure that similar incidents do not occur in the future. This may involve implementing additional security measures or reviewing and updating existing policies and procedures.
At K&C, we have significant experience in providing GDPR-compliant IT outsourcing services through numerous partnerships and projects that involved data governed by the regulatory framework.
If GDPR fitness and compliance are key considerations for your selection of an IT outsourcing partner, you are in good hands with us. Get in touch, we’d love to help!
K&C – IT outsourcing services that deliver
Drop us a line to discuss your needs or next project