February 16, 2024
With only weeks left before the effectivity date of the GDPR, businesses in Europe and across the globe are preparing to cater to the new EU regulation. As a global service provider, the outsourcing industry is one of the businesses that will be directly affected, especially IT outsourcing providers as they are more exposed to information security.
The General Data Protection Regulation (GDPR) is a regulation on data protection and privacy within all members of the European Union (EU). It was approved and adopted by the EU on April 26, 2016, and will take effect on May 25, 2018 after a two-year transition.
The GDPR aims to strengthen data protection and privacy by giving European citizens and residents primary control over their personal data and to simplify the regulatory environment by unifying data protection for all EU citizens.
Any information that can be used to identify a person. Examples include a person’s name, email address, photo, bank details, medical information, computer IP address, and even social media post.
For citizens and consumers, this secures their personal data online and entitles them to certain rights such as the right to data erasure, right to access of information regarding their data, and right to be notified of a data breach, among others. Full list and information of data subjects’ rights can be found on the GDPR page.
On the other hand, businesses face the issues of giving citizens control over their complex personal data and ensuring thorough data security upon acquiring and deletion is a complicated technical and HR issue. Organisations are also at risk of huge fines if they do not comply.
According to the 1Q18 EMEA ISG Index released by the Information Services Group (ISG), preparations of European enterprises for the GDPR resulted to a slump in the first quarter in the outsourcing market in Europe, Middle East and Africa (EMEA).
ISG EMEA partner and president Steve Hall commented:
“There is a degree of uncertainty in the European market that continues to depress demand for outsourcing. The focus on preparations for the sweeping GDPR data-privacy regulation and the impact this will have on business relationships is front of mind for many organisations and has led to a shift in priorities. The recent demise of Carillion and the financial uncertainty of some high-profile outsourcing companies has been extensively reported and has added a new degree of caution in the market.”
Hall also added:
“While traditional sourcing may have a bumpy ride in coming quarters, the trend toward as-a-service will continue to accelerate across Europe through 2018.”
In terms of outsourcing practices, there will be no major direct impact on the processes as outsourcing firms already practice privacy and security processes. Outsourcing firms need only to further strengthen security and privacy and align them with the GDPR guidelines. What will likely change is the relationship between the company and the outsourcing provider.
An example would be article 28 of the GDPR which states that the Controller must impose to its Processor a list of obligations to follow such as imposing technical and organisational procedures on the processor, increasing communication between the two parties, and determining which party bears the risk upon non-compliance of an obligation.
Compliance for both company and outsourcing firm is stricter, thus both should work on protecting each others’ liability. Outsourcing firms will have to follow the regulations set by their clients in accordance with the GDPR guidelines and strengthen their security procedures to ensure there will be no data breach.
Companies and outsourcing firms should have already started to assess the impact of the GDPR and implement the necessary changes before its implementation on May 25.
All information regarding the GDPR can be found on their website.
For more on cybersecurity readiness, check out: Cybersecurity Readiness in the 21st Century