In this article, we are going to illustrate how to implementGDPR successfully and more targeted within the organization with specific criteria that can be taken into account.The model may vary according to the organization's structure and internal procedures.
Although the general data protection regulation (GDPR) has been valid from 25 May 2018, there are still organizations that have achieved and maintain the necessary level of compliance, but do not pay sufficient attention to the Regulation when negotiating business with suppliers of external services (Exectutor). In this way it is quite impossible to be aware of the fact that, as controllers, they are exposed due to responsibilities and risk throughout the chain of executors and their subcontractors, as set out in Article 28 of the General Regulation.
Each Data Protection Officer (DPO) shall evaluate the documents and actions as guarantees setting out, accordigly, the required level of compliance. In order for such documents to reflect the requirements of the Regulation while pursuing the objectives of the organization, the DPO should take into account the wide range of criteria coming out of the framework of the Regulation itself. In the first place, this means getting acquainted with the Procurement procedure, to establish the space regarding the undertaken steps for the implementation of various measures.
Depending on the organizational model, the executor is virtually connected to any business process. In doing so, different executors have a different influence on the personal data of the controller. Generally speaking, outsourcing of business processes that capture a large number of personal data means that the most likely will have an impact on the controller's personal data. Examples of such outsourcing projects may refer to the employment agencies, sales agents (external sales channel), IT service providers, call centers, account calculation and other accounts. Smaller impact have, for example, external marketing agencies for rebranding or leasing contracts of vehicles.
In addition to the volume of personal data, other factors may have an impact on personal data. An example could be additional efforts in selecting protecting measures if the tender is international and involves companies with headquarters that are not subject to the Eligibility Decision, and can be expected to be serious candidates due to the low cost of the service.
One of the forms by which organizations often regulate the guarantee of compliance of the executor is a standard contract or agreement on personal data protection, which also includes protection measures regarding the data protection. Sometimes GDPR compliance clauses are an integral part of a commercial contract or other legal act with executors. When it comes to the selection of a Contractor whose service has a significant impact on the personal data provided to him by the controller, the audit of the compliance of the executor is particularly important.
In addition, the DPO may stipulate additional guarantees for specific types of Procurement in the tender conditions. An example of this could be a tender for an IT service, and the requirement is an equivalent and valid ISO 27xxx certificate.
As a result, DPO can create a matrix for the Procurement function whereby each segment will be clear which form of guarantee is required, in which case the Procurement procedure and any additional conditions will be possible.
With regard to the organisation, the frequency of the competition, as well as the expected number of tenders received, is well taken into account. If the company publishes two tenders per year or if the total number of tenders does not require great effort, the systematisation may become unnecessary and the assessment and criteria may be individually negotiated for each tender competition.
The important aspect of the whole process is to reach out to the final selection phase including the candidates with the necessary level of compliance. Otherwise, the organisation of the contracting executors that does not have a DPO evaluation is exposed to the risk of non-compliance with the GDPR and additional financial costs in order to achieve subsequent compliance.
Authors: Ines i Marko Krečak, DPO Feralis