- Who we are
- What we do
- Our clients
- Work for us
- Contact us
The clock continues to tick and the European Union’s Global Data Protection Regulation (GDPR) will come into force in a matter of days. GDPR has more teeth than previous data protection laws, and it has a long reach. The law is not limited by EU borders – any business that holds or processes personal data belonging to EU data subjects fall under the purview of GDPR. Irrespective of where your business is located, your company is expected to comply with GDPR.
Naturally, most organisations based in the UK or EU – or companies from non-EU countries operating in the EU – handle data belonging to EU citizens. All such businesses must comply with GDPR by 25 May 2018 or be prepared to pay potentially stiff penalties. But it doesn’t end there – even after you make your own business GDPR compliant, the risk still remains if you share personal data with third-party processors.
GDPR’s Article 28 clearly states that: “[data controllers] shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject”.
What does this statement imply? This means that as an organisation that shares data with outsourcing companies, your company must conduct due diligence and guarantee that your outsourcing partners and other third-party suppliers comply with GDPR.
Most organisations that outsource are ‘data controllers’ – in simple words, you hold the personal data belonging to your customers, you decide what it is for and what’s going to happen to it. When you share this data with a third-party vendor or outsourcing partner, they process this data as part of the work. They are the ‘data processors.’
Any data security breach at the data processor’s will have an impact on your business. So, as part of your GDPR compliance plan, you must evaluate your partner’s preparedness also. In case your partner is found to be non-compliant with GDPR, you stand to face potentially steep fines.
GDPR penalties will adhere to a two-tiered approach. Do note that the below penalties apply per breach, which can stack up quickly in case of businesses that show flagrant disregard of the law.
For the provisions that are considered of utmost importance to privacy and data protection (collecting or processing data without consent or violating Privacy by Design concepts), businesses that are found to be non-compliant could face potentially steep fines: upper limit of €20 million or 4% or annual global turnover– whichever is higher. For breaches that are considered to be of lesser relative importance, the upper limited for the penalty is halved to 2% of the annual turnover or €10 million.
While GDPR has provisions for heavy fines, it is to be noted that these are the highest possible penalties. For comparison, a fine of £500,000 is possible under the UK DPA. The highest penalty till date – for a very serious breach of the act – was £400,000.
Monetary loss in the form of fines is just one side of the coin. If a security breach or lapse is uncovered at your outsourcing partner’s end and they are found to be in non-compliance with GDPR, your business is exposed to all the risks that are associated with cybersecurity breaches:
Outsourcing partners and other third-party vendors that work with the personal data of your customers are an integral part of your data cycle. It is essential that they understand their role under the new law and are prepared to shoulder the burden of compliance. Assess your supplier’s readiness from the legal, operations and technological perspective:
QX is the 1st outsourcing company in India to become GDPR compliant. Our delivery centers met the requirements of GDPR on 26 April 2018 via the British Standards Institution’s 10012:2017 framework. We were awarded the standard exactly a month before the deadline comes into effect!
As the 1st GDPR compliant outsourcing company in India, we want our clients to be confident in knowing that we’ve taken all the necessary steps to not only keep their data secure but to only collect and hold what is required.
Is your recruitment, finance & accounts or accounting outsourcing partner GDPR compliant? Insist on a GDPR compliant partner and assess their GDPR readiness first hand – non-compliance is not a risk worth taking!
We are also committed to helping our clients prepare for the obligations under GDPR. If you have any specific questions regarding the GDPR requirements, please email us at firstname.lastname@example.org and our GDPR team will respond.
CONNECT WITH US