Are You a GDPR Compliant IT Service Provider?

Legawise Team May 7, 2018 GDPR
are-you-GDPR-ready

In the last few months, I have come across several client communications about compliance with General Data Protection Regulation (GDPR). With the advent of GDPR in the European Union, IT businesses world over have been jolted out of their slumber of non-compliance with data protection and privacy regulations.

While GDPR does not directly impact outsourcing to offshore data processers, there are certain rules and procedures to be kept in mind so that the IT service providers (off-shore processors) do not end up losing their business.

 

STEPS IT SERVICES ORGANISATIONS SHOULD PAY CLOSE ATTENTION TO AND COMPLY WITH:

 

    1. Process data only after documented instructions from your clients. Which means you need to review existing contracts with your clients.
    2. Make sure you have non-disclosures and confidentiality agreements with your employees who have authorized access to personal data of any person.
    3. Take appropriate security measures to ensure data security. Internal policies of your organization should be compliant with principles of data protection by design and default.
 For example, using pseudonymization or encryption of personal data or using a default privacy setting on the user’s profile.
    4. When engaging a sub-processor (sub-contractor), make sure you have the written authorization from your client and have the same contractual obligations as your client, with such sub-processor.
    5. Review the platforms used (such as cloud).
    6. Help your clients become GDPR compliant by
      1. facilitating them to meet requests by persons exercising rights under GDPR. Such as, creating a function for making requests to add, delete, change personal data.
      2. Helping them meet their obligations of securing personal data, data breaches, data impact assessments, and consultations with the supervisory authority when needed.
    7. When your client requests, delete, return or change personal data.
    8. When your client requests, allow for audits.
    9. Maintain written records of categories of processing activities. (Demonstrating compliance)
    10. Detect data breaches and notify your client “without undue delay”. For example, if a bug is detected which makes passwords visible, such data breach should be notified to the client without undue delay.
    11. Conduct training programs to onboard teams, to raise awareness on personal data issues and regulations.
    12. Have procedures in place to check the correct implementation of personal data protection policies and transfer of personal data policies in compliance with client contractual requirements.
    13. Put procedures in place to ensure personal data protection during encryption, archiving, or deletion (data lifecycle management).

 

All offshore data processers need to follow the guidelines laid by data controllers around GDPR.

This may not be an exhaustive list but will definitely help IT Service providers in coming a few steps closer to becoming GDPR compliant.

Making your outsourcing agreement GDPR complaint is just the start. Contact Legawise for assistance in drafting or reviewing a GDPR compliant contract with your clients.

Recent Posts

frustration of contract
Has Covid-19 made it impossible to perform your contract?
April 24, 2020
Covid and employee privacy
Protecting Employee Privacy during COVID-19
April 17, 2020
Fresh Start scheme
Companies Fresh Start Scheme, 2020: A one time opportunity for Defaulting Companies to start afresh
April 3, 2020
PDPA
Singapore: Personal Data Protection Act, 2012 (PDPA)
January 10, 2020
how to terminate a contract
Drafting the Termination Clause in a Contract
January 3, 2020

Follow Us