By now, it is crystal clear that the GDPR rollout will not only affect the way we engage in marketing but also affect how we handle data related to human resources, design projects, etc. What is not clear to many outsourcing agencies is, how it is going to affect them, as they are going to deal with a lot of personally identifiable information of their clients.
Many agencies have begun to wonder how much consent they actually have, and even if they do if it is really documentable. External partners, third-party vendors, outsourcing and offshore agencies, are all going to be affected by the GDPR, as invariably, every company will have to deal with the data of a resident of European Union at some point in their business.
Outsourcing agencies need to be really careful as it is never possible to predict when the next lawsuit is going to affect them, and when it comes to GDPR, a lot is at stake. You will either have to pay up 4% of your revenue or a whopping 20 million Euros, if you are found guilty of non-compliant with the regulations.
In this article, let us take a look at how GDPR is specifically going to affect outsourcing agencies, as they seem to be risking the most if they are found not complying.
1. No matter where your outsourcing agency is located, it will affect you
The GDPR comes with extra-territorial measures, which means the scope of the regulation extends beyond the European Union. Prosecutors can penalize companies that do not comply, even if they are located outside the EU.
Not ensuring the privacy of individuals or using their information without taking their consent or non-consent into account is going to harm your business. You might be fined up to 20 million Euros, or will have to cough up 4% of your revenue.
3. Data can be transferred, conditionally
The GDPR does not ban outsourcing or does not seek to put hurdles in doing business with external vendors. All it wants outsourcing agencies to do is to ensure that adequate level of data protection will be implemented.
4. Contractual changes
Earlier, the European Union used to enforce the Model Contract Clauses against companies. Now, this will be replaced by the standard data protection clauses. These are also known as the standard contractual clauses (SCC). The new one-stop shop concept will require data protection authorities to be hired if you are going to be dealing with large amounts of data.
5. You will be directly accountable
Under the GDPR, if you are a data processor, you will directly fall under the statutory obligations of the new regulations. You will be subject to fines, compensation claims, etc. In other words, you will be accountable to the data you handle, regardless of to whom it belongs. If you handle your external clients’ data, it is your responsibility to safeguard it. Otherwise, you are accountable.
6. Consent and individual rights are paramount
The new GDPR makes it a requirement for outsourcing agencies to acquire affirmative consent from clients if data is shared. This consent should be based on clear understanding, and can be revoked or canceled at any time. Individual rights may also stop you from profiling customer or client data, and you will need to come up with anonymization of data.
7. Notify breach of security promptly
If there has been a breach of data security, the onus is on the external partner to inform all those who are affected, and also to bring it to the notice of authorities. If the outsourcing agency is large enough and handles sensitive data such as DNA, health, race or ethnic data, etc., they will also need to appoint a Data Protection Officer.
The ramifications of GDPR on outsourcing agencies
The main ramifications of the GDPR on outsourcing will be related to how data is handled, and how contracts are revised or amended. There will also be a need to assess infrastructure arrangements according to a Wavestone whitepaper.
1. Service level agreements and contracts
Controllers and processors will need to review existing contracts and make amendments when necessary. If you have been extra careful of your privacy policies and how you use your client data, you may actually need not make any amendments to your existing contracts. However, if you feel you do not specify clearly how you use data, or if you feel you do not have the adequate consent and you have been working in good faith and assumption, it is now time to review your outsourcing contracts.
2. Cloud as a Service
Cloud infrastructure providers may particularly come into conflict with the GDPR, as will many other IT infrastructure providers. There will need to be more extensive legal contracting so that there is no room for ambiguities. Infrastructure as a Service, Cloud as a Service, Software as a Service, Platform as a Service, etc., will all come under the ambit of GDPR.
3. The issue of sub-contracting
GDPR also places restrictions on sub-contracting. The law makes it clear that those who are controllers will need to give prior consent to sub-processors who are chosen by processors. For example, if your SaaS service makes use of Amazon IaaS, your clients have an option of using your service or not using it. You will need to make it clear in your terms and conditions.
4. How many contracts?
Another issue that will bother outsourcing agencies, external vendors, and offshoring companies is the question of contracts. For every sub-contracting process, there will need to be a contract. In this manner, contract management is likely to become a huge issue for most outsourcing agencies, and this is something that they will need to bear in mind. Existing contracts simply can’t be copy-pasted each time. Outsourcing agencies probably need to speak to their local lawyers in order to gain more clarity on this matter.
5. Emergence of Blockchain?
Smart-contracting, immutability of events and data, the need for consent, the practicality of the technology, etc makes Blockchain an important contender for enforcing GDPR. While Blockchain presents a number of questions of itself, the future of Blockchain in the face of GDPR is bright, and could help outsourcing agencies more than they might ever have imagined.
You might also want to read this blog about GDPR’s effect on Indian outsourcing agencies.
The main ramifications of GDPR on outsourcing agencies will center on data usage, service level agreements, data infrastructure, and sub-contracting. If you are an agency that either sub-contracts or outsources data to another agency, you will probably need to revisit the contracts as soon as possible and make amendments to them. In addition, seeking legal counsel to draft simple and clear terms and conditions so that there are no ambiguities is also very important. Blockchain too may provide the necessary ammunition to comply with GDPR, while will also be turbo-charging outsourcing agencies in many other ways.
You may also like: