The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA.
Understanding GDPR and its implications for IT Outsourcing relationships
IT systems, infrastructure, databases and software development and maintenance can involve the handling and transfer of the kinds of data covered by GDPR regulations. As such, organisations whose IT functions have GDPR implications must be aware of the rules and procedures that must be adhered to.
Organisations that work with third party IT outsourcing providers who staff IT functions GDPR has relevance to have the additional responsibility of ensuring their provider executes work in a way that is GDPR compliant. The consequences of not doing so can be extremely serious.
Examples of IT outsourcing-related GDPR violations and their consequences
- In 2019, the German Federal Data Protection Authority (BfDI) fined H&M €35.3 million for a data breach that exposed the personal data of over 2 million customers. The breach was caused by a failure to secure systems inherited through the acquisition of an IT outsourcing provider.
- In 2020, the French data protection authority (CNIL) fined Google €100 million for a violation of the GDPR’s transparency requirements. The CNIL found that Google did not provide clear and comprehensive information to users about its data processing activities in the context of its outsourcing arrangements with third-party providers.
- In 2020, the ICO fined the Royal Free NHS Trust £180,000 for a data breach that exposed the personal data of over 1.7 million patients. The breach was caused by a failure to secure systems inherited through the acquisition of an IT outsourcing provider.
These examples demonstrate the importance of carefully assessing the GDPR compliance of your IT outsourcing partner and implementing appropriate safeguards to protect personal data in your IT outsourcing arrangements, regardless of where you are located.
As an end client of an IT outsourcing provider, there are several GDPR considerations you should keep in mind and be prepared for:
- Assessing the GDPR compliance-readiness of your IT Outsourcing partner
- Implementing GDPR requirements in your IT Outsourcing contract
- Monitoring GDPR compliance in your IT Outsourcing relationship
- Dealing with GDPR breaches in your IT Outsourcing arrangement
You can learn more about GDPR in the context of IT outsourcing by referring to this article which covers the main FAQs around the topic –
Assessing the GDPR compliance-readiness of your IT Outsourcing partner – a checklist
Here is a checklist of things that an organization should look for in an IT outsourcing provider that will handle, process, or have access to data regulated by the General Data Protection Regulation (GDPR):
GDPR compliance
The IT outsourcing provider should be able to demonstrate that it is GDPR compliant and has implemented appropriate measures to protect personal data. This may include data protection by design and by default, data security measures, and data breaches.
Data processing agreements
The IT outsourcing provider should have a written agreement in place that sets out the roles and responsibilities of each party with respect to GDPR compliance. This agreement should include clauses on data protection by design and by default, data security measures, and data breaches.
Data protection officer (DPO)
If the processing of personal data is the main business activity of the IT outsourcing provider, it may be required to appoint a DPO to oversee GDPR compliance.
Data subjects’ rights
The IT outsourcing provider should respect the rights of data subjects, such as the right to access, rectify, erase, or restrict the processing of their personal data.
Data transfers
If the IT outsourcing provider is transferring personal data outside the European Union (EU) or the European Economic Area (EEA), it should ensure that appropriate safeguards are in place to protect the data, such as standard data protection clauses or binding corporate rules.
Data protection impact assessment (DPIA)
You should conduct a DPIA to identify and mitigate any potential risks to the rights and freedoms of individuals arising from the processing of personal data in your IT outsourcing arrangements.
[totb title=”Can We Help You With Your Next Software Development Project?” subtitle=”Flexible models to fit your needs!” buttonlink=”https://kruschecompany.com/service/software-development-company/” buttonlabel=”Get in touch!”][/totb]
Do my IT outsourcing provider and specialists have to be located inside the EU to be GDPR compliant?
No, outsourced specialists located outside the European Union (EU) can work on IT infrastructure and software development projects that must comply with the General Data Protection Regulation (GDPR). However, organisations that outsource their IT functions to a third-party service provider outside of the European Union (EU) are required to ensure that the same level of data protection is applied to the personal data as would be required if the processing were carried out within the EU.
In order to achieve GDPR compliance when outsourcing IT functions outside of the EU, organizations should consider the following factors:
Data Protection Agreement: Organisations should have a written contract in place with the third-party service provider that includes provisions on data protection and security. This should include any requirements for the service provider to implement appropriate technical and organisational measures to protect personal data.
Data Transfer Mechanisms: Organisations should ensure that they have a valid legal mechanism in place to transfer personal data outside of the EU, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).
Data Processing Location: Organisations should ensure that personal data is only processed in countries that provide an adequate level of data protection. The EU has determined that certain countries provide an adequate level of protection, while others do not.
Data Security: Organisations should ensure that the third-party service provider has appropriate technical and organisational measures in place to protect personal data from unauthorized access, use, or disclosure. This may include measures such as encryption and secure data storage.
Data Breaches: Organisations should have a plan in place for responding to data breaches, including procedures for notification and reporting to the appropriate authorities.
Supervisory Authority: Organizations should be prepared to cooperate with the relevant supervisory authority and provide any information required for the purpose of ensuring compliance with the GDPR.
By keeping these additional considerations in mind, as well as those already covered for any IT outsourcing partner, regardless of whether IT functions are located in the EU, organisations can ensure that their IT outsourcing arrangements with non-EU providers are GDPR compliant.
Implementing GDPR requirements in your IT outsourcing contract
The above considerations should also be formalised in an IT outsourcing contract which involves the implementation of GDPR requirements. Your contract will, in most cases:
- Identify the data protection roles and responsibilities of each party. The contract should clearly define the roles and responsibilities of both the provider and the client in relation to the processing of personal data. This should include the security measures that the provider is required to implement, as well as the duties and obligations of the client in relation to data protection.
- Specify the personal data that will be processed. The contract should clearly outline the types of personal data that will be processed, as well as the purpose for which it will be used. This should include any sensitive personal data, such as data on racial or ethnic origin, political opinions, or health data.
- Set out the data transfer mechanisms. If personal data will be transferred outside of the EU, the contract should specify the legal mechanism that will be used to ensure that the data is transferred in compliance with GDPR requirements.
- Outline the data security measures. The contract should include provisions on data security, including the technical and organisational measures that the provider will implement to protect personal data from unauthorized access, use, or disclosure.
- Include provisions on data breaches. The contract should set out the procedures that will be followed in the event of a data breach, including notification and reporting requirements.
- Specify the rights of data subjects. The contract should include provisions on the exercise of data subject rights, such as the right to access, rectify, erase, or restrict the processing of personal data.
- Provide for cooperation with supervisory authorities. The contract should include provisions on cooperation with the relevant supervisory authority, including the provision of information to ensure compliance with the GDPR.
It’s important to note that these are just a few of the key considerations when it comes to implementing GDPR requirements in an IT outsourcing contract. It’s always a good idea to seek legal advice to ensure that the contract is compliant with all relevant data protection regulations that apply to your particular organisation and the IT functions being outsourced to a third-party provider.
Monitoring GDPR compliance in your IT Outsourcing relationship
Of course, with the end client ultimately responsible for the GDPR compliance of third-party contractors, contractually defined requirements and processes must be monitored to ensure their ongoing compliance.
Regular reviews and audits should be conducted of the service provider’s data protection policies and procedures, data security measures, data processing activities, data transfer mechanisms, data breach response plan, and ability to assist with the exercise of data subject rights.
Consistent monitoring of the service provider’s GDPR compliance can help identify any potential compliance issues and take appropriate action to address them.
Dealing with GDPR breaches in your IT Outsourcing arrangement
In the event of regular reviews and audits of the service provider’s ongoing GDPR compliance revealing breaches of the contract, how should those be dealt with? You should always take qualified legal advice in such as case. However, some general best practice actions that would be expected to be taken if a breach is identified are:
Respond quickly
Time is of the essence when it comes to dealing with a GDPR breach. It’s important to identify and address the breach as soon as possible in order to minimize any potential harm to data subjects.
Investigate the breach
Conduct a thorough investigation to determine the cause of the breach and the extent of the damage. This may involve working with the service provider to identify the root cause of the breach and take steps to prevent it from happening again.
Notify the supervisory authority
Organisations are required to notify the relevant supervisory authority of a GDPR breach without undue delay and, where feasible, not later than 72 hours after becoming aware of it. The notification should include details of the nature of the breach, the categories and approximate number of data subjects affected, and the measures taken or proposed to be taken to address the breach.
Cooperate with the supervisory authority
Organisations should cooperate fully with the relevant supervisory authority during any investigation into a GDPR breach. This may include providing any requested information or assistance.
Notify affected data subjects
Organisations may also be required to notify affected data subjects of the breach, depending on the nature and severity of the breach. This should be done without undue delay and in a clear and transparent manner.
Review and update policies and procedures
It’s important to review and update policies and procedures in the wake of a GDPR breach to ensure that similar incidents do not occur in the future. This may involve implementing additional security measures or reviewing and updating existing policies and procedures.
K&C – your GDPR-compliant IT outsourcing partner
At K&C, we have significant experience in providing GDPR-compliant IT outsourcing services through numerous partnerships and projects that involved data governed by the regulatory framework.
If GDPR fitness and compliance are key considerations for your selection of an IT outsourcing partner, you are in good hands with us. Get in touch, we’d love to help!