UK Law and Practice Contributed by: Richard Brown, Louisa Chambers, Adam Wyman and Michael Ross, Travers Smith LLP
• pensions (Pensions Regulator); • rail (Office of Rail and Road); • road transport (Driver and Vehicle Standards Agency); • security services (Security Industry Authority); • telecommunications, broadcasting and postal ser - vices (Ofcom); and • water and sewerage services (Ofwat). This list is not exhaustive and the activities covered by the outsourcing may mean that there is a need for licences, permits or approvals from other bodies such as local authorities, the Health and Safety Executive or government departments. By way of example, cer - tain defence or security-related activities may require Ministry of Defence approval or be subject to review under the National Security and Investment Act 2021. 2.3 Restrictions on Data Processing or Data Security Data protection laws are likely to apply where the outsourced services require the supplier to process personal data on behalf of the customer. “Personal data” includes names, contact details, or other data that relates to an identified or identifiable natural per - son. In the UK, the relevant laws are the UK GDPR (which is based on the EU’s General Data Protection Regulation (EU GDPR)) and the Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025) (collectively, the “Data Protection Laws”). Nev - ertheless, the EU GDPR will continue to apply to those organisations that fall within its territorial scope. In the UK, the Data Protection Laws are enforced by the Information Commissioner’s Office (ICO). Many outsourcing arrangements – in particular, busi - ness process outsourcings and IT outsourcings – are likely to result in the supplier handling personal data on behalf of the customer and in respect of which the customer is the data controller (ie, the entity that determines the purposes and means of processing of such data). The supplier will be a processor in such situations. Where this is the case, as well as the sup - plier having a number of direct obligations to comply with under the Data Protection Laws, the customer must also be satisfied that the supplier will implement appropriate technical and organisational measures to ensure that the supplier’s processing of such data will
meet the requirements of the Data Protection Laws – in particular, the requirement to keep the data safe and secure. The customer must carry out due diligence on the supplier in order to be satisfied of this. The Data Protection Laws also stipulate that, if the supplier is processing personal data on behalf of the customer and in its capacity as a data processor, the contract between the customer and the supplier must address certain issues (see 4.5 Data Protection and Cybersecurity ) – namely, requiring the supplier to: • keep the data safe and secure; and • help the customer in complying with its own obli - gations – for example, when data subjects seek to enforce their rights in respect of data held by the supplier on behalf of the customer. It may well be the case in some outsourcing arrange - ments – in particular, some BPOs such as pensions administration – that the nature and manner of the out- sourced services requires the supplier to effectively act as a data controller in respect of any data it pro - cesses. If this is the case, then the supplier will have to comply with obligations placed on it by the Data Protection Laws in its capacity as a data controller. Overseas Transfers of Personal Data Personal data transferred to the supplier for process - ing outside the UK must be exported in compliance with the Data Protection Laws, ultimately to ensure that the standard of protection for such data under the Data Protection Laws travels with the data. This issue will need to be addressed where, for example, the outsourcing involves “offshoring” of service provi - sion to a territory outside the UK. Similar rules apply to customers that fall within scope of the EU GDPR and where data will have to be trans - ferred to a supplier located outside the EEA. If the country in which the supplier is located has not been granted an adequacy decision by the UK government (essentially, finding that the data protection laws of the destination country are adequate and meaning that the data can flow freely to the supplier without the need to put additional measures in place to protect it), then an alternative safeguarding mechanism must be relied on.
70 CHAMBERS.COM
Powered by FlippingBook