GDPR and IT outsourcing? We know the word. And we decided to share some insights with you, so we may discuss the topics related to privacy within your own IT outsourcing processes.
Here you can watch the webinar we hosted this Wednesday, 24 July 2019. In case you did not make it, there you can find a few topics we covered.
At first, what is the GDPR? Why all of a sudden all the world must build data processes in accordance with it?
Well, General Data Protection Regulation plays a key role in a business built on data. If the income of a product is generated due to the processing of customer’s personal information, then the security and confidentiality plays the lead role in the battle for the customer’s trust. And though the GDPR is pretty fresh, it is also quite fruitful, resulting in the enforcement practice and judge-made law. As a result, we have a hefty casebook provided us by the early stages of rethinking of privacy law.
A great deal of the cases is focused on liability and invoke, probably, the most important question: who is in control? How to understand who is going to be responsible in case of breach or misuse of personal data entrusted to them? How to avoid the scattering of the responsibility when it comes to the nets of sub-processors and recipients?
One of the answers is to clearly define the role. Under the GDPR, it is important to allocate the duties as precisely and exhaustingly as possible. Partly due to these considerations the roles and responsibilities under the GDPR are distributed: the legal entity or a natural person may be considered –
– Controller (the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data)
– Processor (a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller)
– Third party (means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data)
Data protection officer (an expert on data protection law and practices, who is in a position to operate independently within the organization and ensure the internal application of the Regulation)
– Representative (a natural or legal person established in the Union who represents the controller or processor in case they are situated outside the EU).
This diversity may sometimes be misleading. It is important to check your rights and obligations and determine your role correctly.
Okay, I know my role. So what else should I do then?
As we can see in practice, the paperwork is one of the first thing that regulators consider during the course of investigations and enforcement procedure. Thus, a pile of paperwork is right ahead of everyone of us.
As a result, there is always a necessity to analyze the data flow, the role of the company in data processing activities and determine the list of documents shall be developed. Usually, the indicative number of documents is thirty. The exact amount and content of documents are determined on a case-by-case basis.
The tricky thing is, there is much more than a couple of policies and a standard contract that you will have to find and adapt. They must be clear, precise and tailored to your product and your company.
In our company, we divide a set of GDPR documents into three main groups.
• Other documents.
This practice is known as a layered approach. This way we may insure that nothing is left behind, and the processing is well-documented.
For instance, a data processing contract shall provide for as follows:
• the processor’s obligation to act under the controller’s documented instructions;
• the parties’ obligation to implement appropriate technical and organizational measures;
• the covenants of the parties to keep their employees loyal and reliable;
• engagement of the sub-processors and so on.
Okay, I did it. May I already hire the foreign IT outsourcing company and entrust them my customers’ data without risks?
It depends! Are you sure you should not build the additional safeguards taking into account the new jurisdiction arising in the processing?
So, when it comes to the fact of the transfer, and your controller or processor is based in a foreign jurisdiction, you have to find the option most agreeable to you:
• Adequacy decision (among those whose reputation as a safe data destination was backed by the Commission)
• Model Clauses (Standard Contract Clauses) adopted or approved by the Commission, which are to be included in the contract or attached to the processing agreement;
• Binding Corporate Rules;
• Codes of Conduct;
• Privacy Shield (transfers to and from the USA and Switzerland)
• Article 49 derogations (e.g., consent)
For instance, U.S.-based entities may voluntary self-certify under the Privacy Shield and thus enable their EU counterparty to send them personal data without additional organizational safeguards.
Still, by joining the U.S.-EU Privacy Shield, the entity promises to comply with the framework which is to align the level of legal protection of personal data.
Even if your IT outsourcing is based in another EU member state, there may be differences in the level of protection on a national law level. Don’t forget to catch up with the applicable laws before any processing starts!
So, this is it? It is what took you one hour to talk about?
Of course not! When you watch out webinar, you will see, that we also discussed the cases (both imaginary and those based on the real prototypes), answered the questions of our listeners and were trying to explore every topic in details, thus providing you with starting points you may rely on when thinking over the way to comply with the privacy laws.
There’s more (webinars) to come, so stay tuned!
IT Lawyers from Legal IT Group