Author: Anij Janardhanan, Head of Global Compliance at Ascender
The European Union (EU) has introduced one of the most significant changes to data protection regulations in recent decades – the General Data Protection Regulation (GDPR).
The new regulation comes into effect at a time when large scale data breaches and the misuse of personal information is at the forefront of everyone’s mind. It aims to introduce strict privacy regulations, in a bid to harmonise data protection laws across Europe and better protect individuals.
While many Australian businesses might think these rules might not apply to them, it is actually more than likely the legislation’s scope will include a wide variety of Australian and Asian businesses, as it is not restricted by EU boundaries.
In fact, it will impact any organisation, public or private sector that processes the personal data of an EU resident regardless of whether the processing takes place in the EU or not.
As such, many businesses outside of the EU will now need to comply with GDPR and the whole raft of changes it brings. For procurement and supply professionals, it is going to completely change the relationship dynamics between businesses and service providers.
A new definition for businesses and service providers
In context of personal data, GDPR introduces the concept of controllers and processors, which may be new concepts in contrast to certain Privacy Laws.
A controller is a natural or legal person, public authority, agency or any other body, which alone or jointly with others, determines the purposes and means of the processing of personal data.
A processor is a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.
A business can be a controller, processor or both at the same time. In the context of outsourced data processing activities, the most common conclusion will be that the outsourcer is the controller and the service provider is the processor.
The concept of controller and processor could be new to many Australian companies, as The Australian Privacy Act does not use these terms. The approach taken in Australia is to define any entity to which the Australian Privacy Principles (APP) apply as an APP entity. The Privacy Act is then applicable to those entities without distinguishing between controller and processor.
For businesses operating across the APAC region, they might be aware of this terminology from the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR) System. However, the CBPR only applies to personal information controllers as, under the APEC Privacy Framework, controllers are responsible for the activities processors perform on their behalf. Processors’ activities are then subject to enforcement through enforcement against the controllers.
Whereas in CBPR it is the controller that is responsible, GDPR expects controllers and processors to work together to achieve the objectives of Privacy and Data Protection. With this increased accountability, procurement and supply professionals will have to precisely define and agree upon obligations and responsibilities in the terms of the service.
This will completely change the relationship dynamics between businesses and their service providers, as there will be an increased focus on data protection and privacy responsibilities and credentials.
The New Relationship Dynamic
With the new legislation coming into effect on May 25, it is now essential impacted businesses ensure all their providers are compliant with GDPR. This means finding out what security and data protection policies, procedures and practices they have in place, whether they have a data register and whether they can act quickly upon a request, etc.
As such, contracts will have to be much tighter and may need to be amended to include additional sections to ensure compliance with the new legislation. Responsibilities will need to be clearly mapped out between the business and provider, so if an issue or a request was to occur, it would be handled correctly.
What can help you in becoming compliant as a data controller is working with a provider (processor) with a good Privacy Programme, as they will already have established practices to satisfy the data processor requirements of GDPR.
Look for providers with international certifications for their information security programme, like ISO 270001. While ISO certifications do not guarantee compliance with GDPR or other privacy obligations, these providers will have a head start in their own and your journey to GDPR compliance for your data and processes, from a data protection perspective.
Once you have selected a provider that has a strong data protection and privacy posture, don’t rest on your laurels. Have regular meetings with your partners to ensure they keep up to date with the evolving data protection and privacy requirements. An open channel of communication will be vital if you wish to remain compliant.
GDPR will bring in new regulations that are far-reaching and large in scope. It will mean many organisations in Australia and APAC may have to tighten their current data privacy, security processes and controls to comply with GDPR.
Organisations that have an existing Privacy Program, based on applicable APAC Privacy Laws, may find themselves enjoying a good degree of inherent compliance to GDPR. However, they may still need to work towards meeting the specific requirements of GDPR.
This is particularly the case if they work with any third parties (and subcontractors). It will be vital that any partners will also be compliant with GDPR to ensure your business adheres to the new regulations. This means, businesses and service providers will have to work much closer together to ensure compliance.
For a smooth transition, businesses need to choose their partners carefully, as this can really aid in complying with the increased data privacy regulations, as well as with any new regulations introduced in the future. Having a partner who can help you navigate the changing regulatory landscape will be vital in continuing to provide a core business function and meeting the expectations of employees.
Ascender is the leading payroll provider in Asia-Pacific and believes in empowering, enriching and connecting businesses to their people. Ascender offer complete, end-to-end solutions for your everyday payroll needs and beyond. For more info, visit https://www.ascenderhcm.com/.