Outsourcing/Offshoring – Compliance with Data Protection Laws

May 4, 2010

Globalisation has given the possibility to think further afield. Not only in terms of selling products abroad and market expansion but also in terms of outsourcing work abroad to cut costs, (offshoring). The beginning part of the last decade saw around 10% of companies involved in offshoring their operations (see ONS and OECD presentation and  2009 OECD reports for further details).To give a brief example of offshoring: you might be a medium sized accountancy practice wanting to outsource your bookkeeping to India so that you can provide a more competitive service for your clients.  This is where it is important to understand that the export of such services would also entail the export of your client details, which would be subject to the Data Protection Act 1998.

The EU introduced Directive (Directive 95/46/EC) which forms the basis of the Data Protection Act. This Act regulates how information is stored about individuals and controls the geographical movement of such information. In particular, the transferral of data outside of the European Union falls under a specific regime. Principle 8 of the Data Protection Act sets out that personal data shall not be exported to a country outside the EEA unless the receiving country can provide an adequate level of data protection. It is important to note that other principles from the Act will still apply such as lawfully processing data (first principle) which would require you to seek consent from your clients before exporting their data. The EEA is an area slightly larger than the European Union and includes Iceland, Liechtenstein and Norway. Also, the European Commission decides which countries outside the EEA provide ‘adequate’ protection, such as the USA and Canada.

 If the country you are offshoring to is not in the EEA on the mentioned list then you must fulfill a number of conditions to be in compliance with the Data Protection Act. The Information Commissioner Office (ICO) states that you should ‘assess the adequacy’ of the third countries’ data protection laws.  Due to the comprehensiveness of this assessment, it is probably not an approach that every company can afford to undertake. If this is not possible then emphasis should be placed on the contract between the data exporter and the data importer to ensure that a similar level of data protection is guaranteed.  So, if we were to take the example above, the accountancy practice would be the data exporter and they would enter into an agreement with the Indian bookkeeping service, the data importer. This agreement should cover, amongst other things, the allocation of responsibilities between the exporter and importer, including any sub-processing of data by the bookkeepers.

 The European Commission assists businesses in adding specific content to these contracts by supplying model clauses. These model clauses can be added to an offshoring contract (please see Commission decision 5 February 2010 here for updated clauses), but obviously they should accord in substance with the remainder of any negotiated contract. The ICO gives a detailed good practice guidance for offshoring (please see here). One of the salient suggestions is to ensure that the contract you enter into with the data importer is enforceable in both countries. But what if your company has merely set up a branch in a country outside the EU (a subsidiary) rather than offshoring to third parties? In this case the Information Commissioner has suggested that binding corporate rules (BCR) are the means to fulfill the data protection requirements (please see here for more information on this subject).

Offshoring is a growth market as technological developments continue to increase the ‘internationalisation […] of the service economy‘. Recent developments include cloud computing which may push for further growth. But as these opportunities become more accessible to businesses, it is paramount to check compliance with the Data Protection Act before leaping ahead. Are you offshoring or considering offshoring any work? Have you thought about your data protection compliance?  For a consultation about your requirements please contact us.