GDPR and Outsourcing

This year GDPR (EU General Data Protection Regulation ) roll out will bind all companies and organizations handling data of all individuals within the EU. From now on, companies can be held liable for the data it collects and uses. Fines up to €20 Million or 4% of annual turnover can be imposed.

Its race against time.  Outsourcing companies will be have to be compliant with  the GDPR regulation and organisation processing data outside of EU will need to put extra measures to protect personal data of EU nationals. This includes Binding Corporate Rules or Contract and additional measures to prevent data breach.  Any organisation might face  fines if they’re not paying attention to new data privacy developments in Europe, as penalties for mishandling European citizen data apply to all companies, not just those headquartered in the European Union.

Lot of different factors are in play towards eventual compliance ranging from Exposure to geography that GDPR covers, Commitment to compliance, volume of processes, vendor exposure and compliance, data gathred, training and change management etc

Step 1: Pre-Assessment
So before you start going down the compliance path you need to take stock of what your current state of compliance with regards to the General Data Protection Regulation (GDPR) framework actually looks like. The pre-assessment depends heavily on the size of your company and the processes you have. The aim is usually to figure out the resource commitment that your company needs to actually comply.

The important thing to remember here, is that setting the scope and ensuing commitment to your assessment as well as the extent of prior knowledge you have will play a determining role in how long pre-assessment will take.

Step 2: Creating Records of Processing Activities

Keeping Records of Processing Activities (RPA) is a stipulation of Article 30 of the GDPR explicitly requiring businesses to document their processing activities and recording the processing purposes, data sharing and retention. These records need to be made available upon request by the Information Commissioner’s Office (ICO).

Step 3: Evaluate the third parties

This is a critical step in being GDPR compliant and one that needs special attention since outsourcing and having several vendors is such an integral part of most businesses today. Vendor risk management (VRM) from a GDPR perspective is basically to make sure that all the services you use for your business do not violate your data protection regulations and create disruptions for you.

Step 4: Data Protection Impact Assessment

Data Protection Impact Assessment refers to estimating the entire risk for the company and it pertaining operations. Essentially, it means that an external person helps the organization to identify, assess and minimize the risk of their processing activities. A

Every European Union and the EFTA member assigns a national organization/commission/agency/bureau/authority that is in responsible for GDPR enforcement inside each country’s border by providing information and support, but also auditing and issuing sanctions and fines. Their status was formalized by the Data Protection Directive.

Find below a list of webpage links for the DPAs in various countries:

Andorra https://www.apda.ad/
Austria https://www.dsb.gv.at/
Belgium http://www.privacycommission.be/
Bulgaria https://www.cpdp.bg/
Croatia http://azop.hr/
Cyprus http://www.dataprotection.gov.cy/
Czech Republic https://www.uoou.cz/
Denmark https://www.datatilsynet.dk/
Estonia http://www.aki.ee/en
Finland http://www.tietosuoja.fi/en/
France https://www.cnil.fr/en/home
Germany https://www.bfdi.bund.de/
Greece http://www.dpa.gr/
Hungary https://naih.hu/
Iceland https://www.personuvernd.is/
Ireland https://www.dataprotection.ie/
Italy http://www.gpdp.it/
Latvia http://www.dvi.gov.lv/en/
Liechtenstein http://www.dss.llv.li/
Lithuania http://www.dvi.gov.lv/en/
Luxembourg https://cnpd.public.lu/
Macedonia https://www.dzlp.mk/
Malta https://idpc.org.mt/
Monaco https://www.ccin.mc/
The Netherlands https://autoriteitpersoonsgegevens.nl/
Norway https://www.datatilsynet.no/
Poland http://www.giodo.gov.pl/
Portugal https://www.cnpd.pt/
Romania http://www.dataprotection.ro/
Russia http://eng.rkn.gov.ru/
Serbia https://www.poverenik.rs/sr/
Slovakia https://dataprotection.gov.sk/
Slovenia https://www.ip-rs.si/
Spain https://www.agpd.es/
Sweden https://www.datainspektionen.se/
Switzerland https://www.edoeb.admin.ch/
United Kingdom https://ico.org.uk/

 

Unknown's avatar

About Subbu Iyer

Subbu Iyer is an experienced professional in the outsourcing sphere with 20 plus years of experience. His knowledge and exposure to India pure play firms and trends in outsourcing is a force to reckon with. He advises senior leaders on outsourcing and talks regularly at seminars and forums in Asiapac, Europe and North America. His breadth of US experience ranges from working with Silicon Valley start ups to, helping two of Big-3 firms to leverage offshore resources and playing a major role with building outsourcing relationships with top India pure play firms. He lives in sunny FL with his wife and two wonderful kids.

Leave a comment