Offshoring: the 8th frontier

Defining ‘offshoring’

Data protection definition

Supply chain definition

So, when am I offshoring?

  • data hosting — where is my data located in terms of servers and storage (probably in a data centre) including offsite backup locations?
  • data processing — for example data being held in a database in the UK, but
    outsourced service contract (for example, a support call centre) that can view, modify, copy or delete the data is operating remotely
  • development of service — who does the development? are they in another country?
  • the operation of your service itself — similar to data processing, who is
    managing your service as you may have system administrators who are global and work on a follow the sun shift.
  • the operation of the data hosting itself — for example Microsoft Azure’s data centre is in the UK but the system admins can be located in New Zealand, China, Brazil, US and so on.
  • where are these legally instantiated and located? — just because Amazon Web Services have a UK data centre this doesn’t mean they’re not still a US company also with global support offices.

Offshoring Examples

Personal Data on/near/off-shoring examples

  • Data Subject is in the UK
  • Organisation is solely (legally incorporated, all staff etc) based in the UK.
  • The Data Subject fills in a paper form they were given in the organisation’s office and simply hands it in. The organisation just files in on-site and staff pull the paper out from time to time.
  • Data Subject is in Italy (an EU member state)
  • Organisation is solely (legally incorporated, all staff etc) based in France (another EU member state)
  • The organisation’s supply chain includes a German company which processes personal data in Germany (for example, a data-centre provider or call centre)
  • Data Subject is in Italy
  • Organisation is solely based in France (legally incorporated, all of their own staff etc)
  • The organisation uses Amazon Web Services (AWS) for web hosting and choose the AWS EU ‘regions’ (at present: London, Frankfurt or Ireland data-centres)
  • AWS is an organisation legally based in the United States (overall consideration including the subsidiary structure) and has operational support staff across the globe
  • Data Subject is in Italy
  • Organisation is solely based in France
  • The organisation uses a call-centre based in the US that uses local staff for out of hours customer service who have access to customer accounts (etc) to provide said customer service

Supply chain offshoring examples

  • An organisation in the UK retains an Indian software development firm to create an application for them
  • An organisation in the UK uses a popular open source package published to While likely opaque in the real world, the developers are based abroad and/or the open source foundation acting as maintainer is abroad.
  • An organisation in France purchases a Huawei router for their corporate network.

Offshoring risks

Data protection

Supply chain

Offshoring risk mitigation

Data protection

Supply chain

I’m starting to panic, what does this all mean and what do I need to do?

Earlier you wrote ‘answers you should already have’

I think I have intellectual property and/or non-personal data assets which warrant a good look at my offshore supply chain

Mythbusting: Does the GDPR require EU personal data to stay in the EU?

I have people within my organisation that just don’t ‘get’ offshoring and don’t think we should do it

I am a Data Controller in the UK and I am unsure of what to do in the face of a ‘no-deal’ hard Brexit!

  • you should ensure you understand the scope of your data processing/sharing, what your Joint Data Controllers or Data Processors do for you and how they behave (retention, Sub-Processors etc) and so on (this should be a ‘check’ anyway!)
  • ensure you have scoped and executed ‘Standard Contract Clauses’ (the new name for Model Clauses) — ICO link
  • think about where you rely on Binding Corporate Rules — ICO link

The thin blue line between technology and everything else.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Usage of IPFS for storing NFT files.

Hey guys,what are you all buying today?Have

Taraxa Top Block Producer winners for Week-06, 2022

THM — iOS Forensics

January 2022 Updates

Dora Ventures Weekly Giveaway! — $BNB Airdrops Coming Up!

{UPDATE} Косынка 2017 Hack Free Resources Generator

Being safe on hostile WiFi/mobile networks

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Joel Samuel

Joel Samuel

The thin blue line between technology and everything else.

More from Medium

Introduction to Djib

Elysian Finance is fully community-owned and operated.

How Lightshift helped ICHI go Cross-Chain

Privacy Is The Biggest Challenge Preventing DeFi Lift-Off