Today’s guest post is from Tony Bridger, an experienced provider of Procurement Consulting and Spend Analysis services across the Commonwealth (as well as a Lean Six Sigma Black Belt) who has been delivering value across continents for two decades. He is currently President of UK-based TrainingWorx Ltd, a provider of a wide range of Procurement and Analytic business training programs (inc. GDPR, spend analysis, project management, process improvement, etc.) and focussed short-term consulting solutions. Tony can be contacted at firstname.lastname@example.org.
As they used to say at the start of the Star Wars Movies, the saga continues. Having explored the physical options of minimisation and anonymisation, information security standards and certification –- we have the option of just, well … complying.
So, what has to be done? If you are a large global vendor in the analytics space -– binding rules is the key option as we have already suggested. For smaller, niche vendors, the regulations are a little more complex. However, not insurmountable. As we have highlighted in several posts, for US providers –- Privacy Shield is a great start.
It is illegal from 25th May to move personal data outside of Europe without the right data controls and contractual agreements in place. The UK based Information Commissioners Office (ICO) as the supervisory authority of the UK is a good place to start for detail. The ICO has written several key documents on how commercial relationships are supposed to work if personal data is moved outside of the EU. The most common arrangement is likely to be the Controller-Processor relationship. In effect, data is controlled within the EU — but processed externally. As we mentioned in a previous post, processors must have representation within the EU if they reside outside of the European Union. This is for notices from client — this contact must be published and available.
The second group of conditions relates to processor operations. The ICO documentation on this is clear. Processors must:
- only act on the written instructions of the controller (unless required by law to act without such instructions). This means that controllers need to be clear what operations and processing will take place on the supplied data;
- ensure that people processing the data are subject to a duty of confidence. This means that supplier organisations cannot simply state that staff “stole the data”. This means that data access in processor organisations needs to be contractually managed;
- must take appropriate measures to ensure the security of processing. This is where the notion of certification and standards becomes prevalent.
- must only engage a sub-processor with the prior consent of the data controller and a written contract.
None of these conditions are insurmountable –- many procurement practitioners within the European arena will have started to scrutinise a wide range of non-EU supplier contracts. Many vendors may have already been engaged on this process.
In the next post we will continue the controller-processor theme. There are several additional conditions that are required for processors.
We will post these in small doses — this keeps reading and understanding the changes a little more digestible.
We do need to warn you that from here, the GDPR starts to appear somewhat incomplete.
However, it’s a big change that has yet to be combat tested.