Our client was a telecommunications provider, operating a cloud-based platform with thousands of users on it. They approached us for help to become GDPR compliant ahead of GDPR coming into effect in May 2018.
Context and Challenge
Our client provided its services either direct to customers or white-labelled through networks of channel partners, resellers and distributors. A significant amount of personal data was collected on our client’s platform. GDPR compliance ahead of May 2018 was essential not just for our client but for all of the businesses that it was dealing with.
Our client’s platform collected personal data that was stored in data centres in the UK but which was accessible by support staff operating from its subsidiary in India. Although staff in India were only able to access personal data on the platform by logging on to the platform, this still counted for GDPR purposes as a transfer of personal data outside the EEA so we had to deal with that. To make matters more complicated, in most of its relationships, our client was acting as a sub-processor of personal data. The EU’s model clauses for overseas data transfers could only be used by controllers transferring personal data to a processor or another controller so we had to find a way around this.
While our client’s standard contracts need updating, we had to come up with a solution that would make it straightforward for hundreds of businesses within the delivery network to understand, accept and sign off on the changes that we were making.
Process and Insight
We analysed and updated the various contracts that our client was using for its customers, channel partners etc as well as its supplier contracts. We also looked at its operation in the UK and India to get a clear understanding of the controls and security arrangements around data access and storage. We also considered how best to deal with the challenge of transferring data to India.
As well as updating the relevant contracts we helped draft policies and security statements so that the businesses within our client’s network could understand how personal data that the platform collected was processed.
We came up with a solution around the GDPR restrictions on overseas data transfers that relied on agency law and the EU model clauses and applied this in the revisions that we made to our client’s contracts.
We also put appropriate contracts in place between our client and its Indian subsidiary.
We provided a Q&A document so that businesses within the network could understand the changes that we were making to their contracts and be reassured around the security measures that our client had in place around data processing.
We helped our client become compliant ahead of GDPR coming into effect solving the challenge for our client and all of the other businesses in our client’s network.