To Outsource or Not to Outsource
Posted on 8th June 2020 at 15:41
For years JCBcs have advised that great caution should be taken when you use and outsource services within your business, especially when we consider that GDPR stipulates that Appropriate Measures & Contractual Obligations must be strictly implemented & followed.
We must remember..
The data that our outsourced providers manage & manipulate was trusted to us by our customers & the responsibility to keep it safe is still very much ours.
Issues may arise as we are at the mercy of our outsourcing provider doing things the way that we would expect to protect our data unfortunatley that isn't always the case as this recent issue with IT Services Giant - Conduent demonstrates which isn’t the first issue we have seen with an Manage Service Provider (MSP) and it is unlikely to be the last.
Select your Outsourcing carefully..
For any organisation as we continue to grow we have 2 fundamental objectives:-
To make more money
Reduce our costs.
There is obviously nothing wrong with this philosophy, we do all want successful businesses that will make more money.
Importantly however when it comes to following a successful GDPR/Cyber Compliance journey there are strict rules that need to be followed to maintain our integrity and to be able to avoid possible costly consequences from non-compliance/data breaches.
Guardian of your Galaxy
No matter the size or type of our organisation it is very important to consider that with GDPR we need to understand 2 very important points:-
We are wholly responsible for the data that we have within our organisation, from the inception of the data (birth) to its deletion (death) this responsibility is without exception.
If we outsource certain services in our organisation like IT, Credit Control, Accountancy, HR etc, allowing these external companies to be able to manipulate our data or just have the ability to access our data, the responsibility for the integrity, security & protection of the data is ours.
This means that we must ensure that our customers data is compliant no matter who has access to or where they may be able to gain access to the customer data, access which will have been allowed at our request when appointing any outsourced service within our organisation.
With GDPR we are required to implement Appropriate Technical & Organisational Measures these measures must follow the travel of the data and will make everyone responsible/accountable who either:-
Hold the data.
Access the data.
Manipulate the data.
Share the data .
Backup the data.
Store the data.
Destroy the data.
Our customers have placed trust in us that their data/details will be safeguarded, they do not need to make any special request that if we use any outsourced services their data will still be protected.
The reason for this!
Quite simply because our customers did not know (unless we made it very clear with our T&C and/or Privacy Policies) that we will share their information, so when we appoint our outsourced provider to assist with our day to day operations, they do not need to know about the company unless that same provider facilitates a data breach.
However it is our responsibility that we have a formal contract with our outsourced provider, this contract must exist before they supply any services to us that clearly makes them accountable and will enforce the same “Appropriate Technical & Organisational Measures” on them that we have implemented within our own organisation.
If you do not follow these simple rules and:-
Appoint an outsourced provider.
Do not create a formal contract.
Appropriate measures are not followed.
Allow the outsourced provider to access or manipulate your data in any form.
Then there will be serious consequences for both parties for non-compliance, also should a Data Breach occur appropriate breach notification procedures/policies will be need be enacted.
At JCBcs we offer comprehensive GDPR/Cyber Consultancy that will ensure that your business understands & follows a correct & tailored Compliance Journey.
Share this post: