Introduction to outsourcing
Data protection law was born in the early 1970s as computers spread, and early service bureaux (also called computer bureaux) processed data on behalf of organisations that lacked their own capacity. This created a new problem: how to protect data when processing is one step removed from the entity responsible for it. The OECD Guidelines answered that accountability stays with the controller even when another party does the processing. The Data Protection Directive made controllers responsible for their processors, and the GDPR went further by placing direct legal obligations on processors and stressing the contract between customer and supplier.
Outsourcing means a customer pays an external supplier to do data processing for it. The legal puzzle is that the processing happens one step removed from the organisation ultimately responsible. The earliest answer, from the OECD Guidelines, was that accountability for privacy rules stays with the data controller even when a does the actual work.
The Data Protection Directive made controllers responsible for the actions of their processors. The growth of outsourcing through the 1990s and 2000s made the balance between controller responsibility and the supplier's professional duties a cornerstone of modern data protection. The GDPR then went further still by imposing direct legal obligations on processors while increasing emphasis on the contract between the customer and supplier.
| Regime | Treatment of the processor |
|---|---|
| OECD Guidelines | Accountability placed on the controller; controller keeps it even when a service bureau processes |
| Data Protection Directive | Controllers made responsible for the actions of their processors |
| GDPR | Direct legal obligations on processors + greater emphasis on the customer-supplier contract |