Blog Posts Business Management

GDPR means “no-outsourcing or offshoring”

Blog: Capgemini CTO Blog

In the last few months, I have witnessed several client conversations about the EU GDPR (General Data Protection Regulation) impacting “personal data” application services delivered from non-EU locations. The first reaction (not backed up by application or transaction insight) is usually that data processing services for such applications cannot be offshored to a non-EU location—which can be a misplaced interpretation.

The GDPR requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within the territory of EU Member States. Organizations need to ensure that their data processing activities are carried out in accordance with the data protection principles set out in the GDPR.

To manage application services from a non-EU location, IT services organizations should pay close attention to and align with:

 

  1. Organization data classification policy covering personal data classification. Internal policies should adopt principles of data protection by design and data protection by default.
  2. Procedures to ensure that all contractual clauses with clients related to personal data, security exhibits are validated internally before the contract is signed.
  3. Implementation of DPO (data protection officer) organization, tool-based approach to manage detailed mapping of all personal data processing.
  4. Procedures in place to check the correct implementation of personal data protection policies and transfer of personal data policies in compliance with client contractual requirements.
  5. Training programs to onboard teams, to raise awareness on personal data issues and regulations
  6. Strong enforcement of Identity access management policy, tools and processes for databases containing personal data, backed by strong authentication and audit procedures.
  7. Implementing tools for masking or applying pseudonyms to personal data.
  8. Procedures to ensure personal data protection during encryption, archiving, or deletion (data lifecycle management).
  9. Incident management process to adequately report, respond and mitigate data breaches. These policies and programs should be kept up to date and tested regularly to provide timely notification (within 72 hours of becoming aware of it) to regulators and consumers in the event of a data breach.

GDPR impacts data processors and data controllers alike, bringing data protection practices to the forefront of business agenda. With the rise of cybercrime, it is becoming more important to consider consumer protection and brand reputation in information security design. For organizations to remain GDPR compliant, they must continuously monitor the effectiveness of the measures implemented and continuously improve them by incorporating best practices of personal data protection.

 

Leave a Comment

Get the BPI Web Feed

Using the HTML code below, you can display this Business Process Incubator page content with the current filter and sorting inside your web site for FREE.

Copy/Paste this code in your website html code:

<iframe src="http://www.businessprocessincubator.com/content/gdpr-means-no-outsourcing-or-offshoring/?feed=html" frameborder="0" scrolling="auto" width="100%" height="700">

Customizing your BPI Web Feed

You can click on the Get the BPI Web Feed link on any of our page to create the best possible feed for your site. Here are a few tips to customize your BPI Web Feed.

Customizing the Content Filter
On any page, you can add filter criteria using the MORE FILTERS interface:

Customizing the Content Filter

Customizing the Content Sorting
Clicking on the sorting options will also change the way your BPI Web Feed will be ordered on your site:

Get the BPI Web Feed

Some integration examples

BPMN.org

XPDL.org

×