In the last few months, I have come across several client communications about compliance with General Data Protection Regulation (GDPR). With the advent of GDPR in the European Union, IT businesses world over have been jolted out of their slumber of non-compliance with data protection and privacy regulations.
While GDPR does not directly impact outsourcing to offshore data processers, there are certain rules and procedures to be kept in mind so that the IT service providers (off-shore processors) do not end up losing their business.
STEPS IT SERVICES ORGANISATIONS SHOULD PAY CLOSE ATTENTION TO AND COMPLY WITH:
- Process data only after documented instructions from your clients. Which means you need to review existing contracts with your clients.
- Make sure you have non-disclosures and confidentiality agreements with your employees who have authorized access to personal data of any person.
- Take appropriate security measures to ensure data security. Internal policies of your organization should be compliant with principles of data protection by design and default.
For example, using pseudonymization or encryption of personal data or using a default privacy setting on the user’s profile.
- When engaging a sub-processor (sub-contractor), make sure you have the written authorization from your client and have the same contractual obligations as your client, with such sub-processor.
- Review the platforms used (such as cloud).
- Help your clients become GDPR compliant by
- facilitating them to meet requests by persons exercising rights under GDPR. Such as, creating a function for making requests to add, delete, change personal data.
- Helping them meet their obligations of securing personal data, data breaches, data impact assessments, and consultations with the supervisory authority when needed.
- When your client requests, delete, return or change personal data.
- When your client requests, allow for audits.
- Maintain written records of categories of processing activities. (Demonstrating compliance)
- Detect data breaches and notify your client “without undue delay”. For example, if a bug is detected which makes passwords visible, such data breach should be notified to the client without undue delay.
- Conduct training programs to onboard teams, to raise awareness on personal data issues and regulations.
- Have procedures in place to check the correct implementation of personal data protection policies and transfer of personal data policies in compliance with client contractual requirements.
- Put procedures in place to ensure personal data protection during encryption, archiving, or deletion (data lifecycle management).
All offshore data processers need to follow the guidelines laid by data controllers around GDPR.
This may not be an exhaustive list but will definitely help IT Service providers in coming a few steps closer to becoming GDPR compliant.
Making your outsourcing agreement GDPR complaint is just the start. Contact Legawise for assistance in drafting or reviewing a GDPR compliant contract with your clients.