IT outsourcing has become a real business card of Ukraine: domestic IT companies are happy to provide services to foreign customers receiving fair and decent remuneration at the level of developed European countries. However, when it comes to the need to maintain the same European standards in the field of personal data security business does not always pay due attention to this issue.
While Ukrainian companies are still mulling over the need for compliance with the requirements of European legislation, the tentacles of the GDPR are gradually but steadily continuing to tighten.
What is a GDPR questionnaire?
The most common and at the same time the easiest way to assess the GDPR compliance of a company is to use special questionnaires. At its essence, the GDPR questionnaire is a list of questions (there are approximately 20-30 questions) listed in a handy table.
A typical GDPR questionnaire contains the following fields:
- answer field (two Yes or No answers are usually available);
- comments (used to provide detailed responses).
A really good practice is when the company makes additional notes to the questionnaire. They allow you to understand better the meaning and purpose of the question asked. Unfortunately, not all questionnaires contain notes.
Types of GDPR questionnaire
Today we can face three types of the GDPR questionnaire:
In practice, Ukrainian IT outsourcing companies most often encounter the second type of the questionnaire – one having sent for evaluation by counterparties (service providers). Therefore, in this article, we will focus more specifically on this kind of the questionnaire.
The structure of the GDPR questionnaire
A typical GDPR questionnaire can be conditionally divided into two blocks of questions:
- common block;
- special block.
The general block of questions concerns the state of the company’s awareness of GDPR standards. Usually, it contains the following questions:
- Does your company know about the GDPR?
- What is your role in processing personal data (controller, joint controller, processor, sub-processor)?
- In which country do you process personal data?
- What are the legal grounds for data processing?
- What are the purposes of processing personal data?
The special question block addresses the need to meet the specific GDPR requirements and contains the following common questions:
- Does your company use subcontractors?
- Has the company developed appropriate policies and procedures for protecting personal data?
- Have adequate technical and organizational security measures been implemented?
- Has the Data Protection Impact Assessment (DPIA) been carried out?
- Is the Data Protection Officer (DPO) designated by the company?
Why have I been sent GDPR questionnaire?
If European customers have sent you the GDPR questionnaire, you are likely to have access to the personal data of their customers (employees or contractors) in the course of services provision.
The fact is that the concept of “processing” has a very broad meaning and encompasses “any operation or set of operations which is performed on personal data or on sets of personal data”.
In its comments, the European Commission notes that “the access to a database containing personal data” constitutes processing within the meaning of the GDPR. Therefore, by accessing the personal database, you are acting as a processor and the European customer as controller of such data.
The GDPR obliges the controller to cooperate only with processors providing sufficient guarantees to implement appropriate technical and organizational security measures. In addition, the GDPR establishes an accountability principle stipulating that the controller must be able to prove that he has verified service providers for compliance with GDPR requirements.
For the European GDPR customer, the questionnaire plays a dual role:
• a way to obtain documentary evidence from service providers to confirm GDPR compliance;
• a proof that the European customer has taken appropriate measures to verify the service providers (evidence of compliance).
What to write in the GDPR questionnaire?
Let’s imagine: you’ve finally been sent the GDPR questionnaire. What to do? Strategically, the situation looks very simple: fill in, sign and send to the customer. Profit!
But in fact, problems may arise on the second or third question when, for example, you try to determine the difference between the concept of “joint controllers” and “separate controllers”, conduct a privacy risk assessment of your business, or determine whether you are providing information society services to children. You will definitely ask yourself: “What to write here?”
There are no universal guidelines for what exactly to write in the GDPR questionnaire and they cannot exist a priori. The answers should always be based on the analysis of your business processes and a particular case.
However, we can say exactly what not to do. You can’t lie! Once signed, the questionnaire becomes a legal document that can be used as an evidence in the event of any disputes with the counterparty in the future.
If you have received the GDPR questionnaire you could consult your personal data protection lawyer. Inaccurate or false answers not only create serious reputational risks to your business but can also lead to the counterparty’s claims.