As a result of the pandemic, and due to the unfolding global economic crisis, businesses are increasingly turning to outsourcing companies to reduce their costs while maintaining a high standard of service to their clients. But there are several pivotal questions to consider before making the leap into the world of outsourcing:
- How does the outsourcing provider handle data privacy?
- How can you ensure that your own company can remain compliant with relevant regulations whilst outsourcing?
- What exactly should you expect on behalf of your outsourcing provider when sharing data with them?
Unquestionably, for companies in the EU and Britain, the GDPR really is the gold standard when it comes to data protection. Let me unpack it for you.
What is the GDPR and who is subject to it?
In May 2018, the GDPR (General Data Protection Regulation) came into play, tightening up existing regulations that provide guidelines for the ways companies collect, use, share and store data – particularly personal data. Personal data includes key aspects of someone’s identity including: their name and contact details, date of birth, the location of their IP address, social security details, ethnicity, sexual orientation and medical records, even financial and educational history. In an age where our whole lives are digitized, GDPR is vital legislation that keeps your clients and your company safe from the threat of data breaches. You only have to look at the Cambridge Analytica Scandal to see the catastrophic consequences of data misuse and the impact this had not only on individuals but businesses at large.
Any company in the EU or Britain, or any company outside the EU that stores the data relating to EU and British citizens must be GDPR compliant, or they face massive penalties of up to four percent of their annual turnover. So it is wise to understand the legislation and to satisfy GDPR requirements to keep your business afloat!
The key players according to GDPR are as follows:
What impact does the GDPR have on your outsourcing to non-EU companies?
Under outsourcing agreements, the European company usually acts as a customer, and a non-EU company acts as a supplier. In such a case, the European company will basically act as a Data Controller. The non-EU company (say, for example, one based in the Philippines) acts as a Data Processor, provided that it has access or an opportunity to gain access to personal data processed by the customer.
If the outsourcing company will use the personal data for its own purposes, or independently determines the means of processing such data, it will automatically become a Data Controller and shall be responsible for compliance with the requirements of the GDPR.
Given the strict GDPR requirements, both parties (the company and the outsourcing provider) should work on protecting each other’s liability. Outsourcing firms must follow the regulations set by their EU clients in accordance with the GDPR guidelines. Typically, following article 28 of the GDPR, the Controller oblige its Processor to follow a list of obligations - i.e. imposing technical and organizational procedures on the Processor, increasing communication between the two parties, and determining which party bears the risk upon non-compliance of an obligation.
How to stay GDPR-friendly in an outsourcing environment: A four-step guide
Follow these four steps to ensure your company stays compliant with the new regulations.
Know what personal data will be handled by the outsourced provider
Will the third part be handling names, addresses, phone numbers, websites or other personal data of people residing in the EU? Maybe they will have access to more critical information, such as social security numbers or the users credit card. Or perhaps it will be less sensitive but still commercially valuable information such as the user’s interests in movies, books, or kitchen or beauty products. Whatever you are collecting, make sure to keep track of it.
Identify who has access to this data under the outsourced provider
Find out who has access to this data and make them sign an individual NDA if they are not covered by the company NDA. Ideally, you want the smallest number of people possible having access to user data.
Understand the storage repository for this personal information
How are they storing the data, and for how long? Is the data stored on servers within the EU, or in another region? As soon as they process data from European individuals, and regardless of where the data is stored (in the EU or outside), your outsourcing provider has to meet all of the GDPR requirements/international transfer conditions.
- Review risk assessments of the outsourced provider after any data breach
If ever there is a data breach, immediately get a list of users affected and notify them. Make sure to follow up with how you will prevent such a breach in the future.
The Arcanys difference: How we handle personal data
Arcanys is a non-EU established company that provides software development services to customers across the globe (both European and non-European clients). At the start of every collaboration, we prioritize and apply the proper processes and procedures to guarantee the security of company and client data, compliance with GDPR regulation for our European customers, and we make a concerted effort to fully understand any other rules and regulations our clients may be subject to.
Let me give you some examples of how we do this in practice.
- For our clients subject to GDPR with customers in the EU (like Enfo, Tiqqe, Citilog or Cube Mobile, among others), we apply the following procedures:
- Thorough research of all areas impacted by GDPR and clarification of the client’s specific rules in a separate document/contract.
- Establishing regular monitoring, inspection, and judgment processing procedures to minimize data storage and data processing.
- Implementation of protective measures, such as a pop-up consent when a user attempts to upload files to the system which may contain personal data.
- Pseudonymization, minimizing and encrypting personal data both at rest and in transit after you as the Data Controller have securely sent us the data over the network.
- Completing the required changes/improvements to our internal processes and procedures required to achieve and maintain GDPR compliance, and
- Thoroughly testing all of our changes to verify and validate compliance with GDPR.
At Arcanys, we want to do the best for our clients and take the hassle out of GDPR compliance so you can stay focused on your core business. Be assured we take the privacy, protection and security of your data extremely seriously during the outsourcing process, minimizing risk and providing you with the peace of mind you need amidst the complexity of GDPR.
If you have any further questions or would like more information regarding the benefits and procedures of outsourcing with Arcanys, please get in touch with us here, we’d love to see how we can support you in achieving your business goals.