Outsourcing in the Days of GDPR
The deadline for implementing the General Data Protection Regulation (GDPR) in the Europe Union was May 25. Service industries are particularly affected by the regulations and the penalties for non-compliance are stiff.
Punit Bhatia, Privacy and Protection Officer for ING Bank, will be speaking at EOS18, June 11-13 at the Marriott Brussels, Belgium, on Outsourcing in the Days of GDPR. A privacy and sourcing specialist with more than 18 years of experience, he is the author of “Be Ready for GDPR: Let Us Check Your Readiness for General Data Protection Regulation.”
For a preview of a presentation you don’t want to miss at EOS18, read on for Bhatia’s expert insights.
What 3 things should businesses do to get ready for GDPR?
Bhatia: GDPR can be challenging for businesses. The best way to prepare is to get started with a GDPR compliance project as early as possible by following these four steps in order:
- Ask a legal counsel to help with the list of requirements that relevant to your company
- Formulate what your company must do to fulfill the applicable requirements in a policy or procedure document
- Conduct a gap analysis against this policy document in each and every department
- Set up a project to monitor closure of the gaps revealed by the analysis
These recommended steps can be done with the help of an internal company lawyer with support from key departments or by an external firm.
How will these new privacy rules benefit consumers?
Bhatia: New privacy rules will put the consumers in control of their personal data by providing them with rights. This will allow a consumer to go to any company, such as their insurance carrier, and ask what data they have about them, why do they need it, what will they do with this information and so on. If the consumer is not satisfied with the responses, they are allowed to ask to have their data moved to another insurance company.
How will GDPR potentially impact European-based companies and also non-European companies who do business in Europe?
Bhatia: With GDPR, it does not matter where your company is located. Instead, the location of your customers is the most important consideration. So, regardless of the location of your company, GDPR will apply to your company if you are processing personal data of those residing in the European Union.
Your company will be obligated to comply with privacy and protection requirements, to provide your customers with their rights and to be transparent about your company’s personal data processing practices. If your company does not do so, the regulators can issue warnings or penalty of up to 20 million euros (about $25 million) or 4 percent of global turnover (whichever is higher).
How will it potentially impact outsourcing relationships and future contracts?
The short-term impact is that providers are being asked to sign data processing agreements or clauses as part of existing contracts. These clauses stipulate data protection obligations to providers, specify what processing is being allowed and their responsibility to notify in case of a breach. In the future, these clauses will become a norm in contracts of providers.
What industry sectors should be most focused on GDPR readiness?
Bhatia: While GDPR will touch most industries, some industries will be impacted more than others. These include:
- Industries whose core business is to provide services to individual customers that generally include the processing of personal data on a large scale. These industries would include financial services, insurance, retail, etc. All of these companies would need to take significant steps to comply with EU GDPR.
- Industries that provide marketing, business, process and system support services. All of these companies will become processors of personal data on behalf of their controllers (by whom they are contracted). While their controllers need to be GDPR compliant, GDPR also demands that processors be GDPR compliant, and they have the same liability if they do not fulfill obligations. These include organizations that provide cloud-based services, platform-based services, law services, analytics, event management, marketing, etc.
- Automobile industry: Most automobile manufacturers love to collect and process personal data about who buys their products. But, with GDPR being applicable, these companies would need to be more transparent with regard to what data they have, what they do with it, and why.
What is the theme of your talk at EOS18 and why should people attend? What will they learn?
Bhatia: I will provide a briefing on what requirements will apply to providers of services to companies in Europe and how they can comply. EOS18 attendees will come away with a perspective into GDPR requirements and an understanding of the obligations of providers and how can they fulfill those as well as an overview on the impact on the outsourcing industry as a whole.
With GDPR, it does not matter where your company is located. Instead, the location of your customers is the most important consideration.
New privacy rules will put the consumers in control of their personal data by providing them with rights. This will allow a consumer to go to any company, such as their insurance carrier, and ask what data they have about them, why do they need it, what will they do with this information and so on.