Send us a message
Fill in our form and we'll get back to you as soon as possible
Contact our offices
Make an enquiry
The Information Commissioner’s Office offers guidance for smaller businesses on how to comply with the Data Protection Act 1998 (DPA) when you outsource the processing of personal information, such as your payroll function or customer mailing information.
In 2018, compliance with the General Data Protection Regulation (GDPR) will be enforced. This imposes strict data protection compliance measures backed by potentially massive fines.
If you use an outside organisation to process personal information on your behalf, you remain responsible for the processing and will be liable for any breaches of the DPA/GDPR. The Act requires that you take the appropriate technical and organisational measures to protect the information being processed whether this takes place in-house or whether someone else does it for you. In order to decide what measures are needed, the following should be taken into account:
The guidance stresses that if you employ another organisation to process personal information for you, you must select one that you believe will carry out the work in a secure manner. Ongoing checks should be made to ensure that this is the case. Wherever the organisation is based, you must have a written contract with them. This should state that the personal data can only be used and disclosed in line with your instructions and that appropriate security measures must be taken.
If you are using an organisation based outside the European Economic Area, make sure the contract is enforceable in that country.
In summary, the good practice recommendations if you want to outsource the processing of personal data to an outside organisation are: