Why would you want to outsource part of your organisation?
You know what you're good at. If you're a hotelier, you're good at running hotels. You might be less good at other things, which is why you make use of the services offered to you by accountants, lawyers, specialist cleaners, plumbers, electricians, Information Technologists, website builders, copywriters, photographers and so on.
Photography, for example, is an interesting one. I am a keen amateur photographer. Keen, but ultimately disappointing.
My wife is a trained professional photographer. We can be standing in the same place and take photographs of the same scene in front of us at the same time but the images she shoots are always better than mine. Her framing is better and she captures the essence of every scene more effectively than I do. It happens every time.
She has forgotten more than I will ever know about photography. It comes naturally to her (through no shortage of hard work some years ago). Her pictures always tell a story. My pictures are... well, they're just pictures. I am always left with an uneasy feeling that I could have done better, but I don't know how.
Which is why, whenever photographs are needed for any of my business purposes, we rarely use mine.
So there are things you can do well and things which are best left to people who know what they're doing. Outsourcing is part of everyday business.
Outsourcing means you don't have to know very much about the thing you want to outsource. You can pay someone else to do it.
You define what you want done, you agree what the results should look like, you agree how long the job will take and what the price will be.
Then you, as the outsourcer, can get on with your day whilst the outsourcee gets on with theirs. They do the work for you and report back to you with the results.
You don't employ them. Instead you engage them, which means when the task is complete, the engagement is usually finished. If you use an accountant you might engage in an outsourced relationship with them covering several years. They will look after such things as your Corporation Tax Return, oversight of your VAT, perhaps PAYE or even your personal tax returns.
So why not outsource the tricky parts of your data privacy management?
When you outsource anything to do with processing personal data under the Data Protection Act 2018 (DPA18), you will usually do so as the "data controller". The outsourced vendors you appoint will be "data processors". In the hotel industry in particular, there can be many of those, even for a small property, for example:
You can see from this that outsourcing happens a lot in the hotel industry. It's quite reasonable of course. You need these specialist skills in order to make the most of your opportunities as a hotelier. You have no idea how they work, but you still need them just the same. So you get someone who does know how they work to do them for you. You outsource to a specialist.
It means that even small accommodation operators are frequently in the hands of much larger organisations. Of specialists who know better how to define what needs to be done.
Yet when it comes to the DPA18 (or the GDPR if you're still calling it that) there is one key point you need to be aware of:
As the data controller, you are responsible for anything the data processor does wrong. Which means that if you have aligned yourself with Google Gsuite as a data processor for your business email and Gmail suffers from a massive data breach, the buck stops with you as the data controller. You did the outsourcing to Google.
Of course, there are agreements and contracts which should be in place to protect you as the data controller. The data processor, for example, is supposed to maintain an appropriate level of technical and organisational measures to play their part in helping you to uphold the rights and freedoms of your data subjects.
In other words, they will run all the security stuff because they know what they're doing. Part of the contract you agree to at the start of your outsourcing makes it clear they're doing that on your behalf. It is this contract which protects you when your chosen data processor experiences a problem.
As an organisation, you have no idea how to manage some complex systems or how to deploy certain specialist skills so you outsource them. You ask a specialist who knows how these things work and has the skills you lack.
The DPA18/GDPR says that you as the data controller, "decide the purpose and means of processing personal data". When you (as the data controller) outsource that "means" to a specialist provider (as a data processor), you become responsible for the efficacy of their specialist knowledge. Even the bits you know nothing about.
Which is why you need an effective data controller/data processor contract in place. Often data processors who want to sell their skills or systems to you will provide you with an appropriate agreement, designed to protect you both when things go wrong. Be careful what you sign. Such agreements are increasingly edited to contain clauses which can be very expensive for you.
Don't run the risk of feeling like I do when taking photographs. That uneasy feeling that you could have done better always comes after the fact. If you're going to outsource, tread warily and put the effort in before you press the button on appointing a new vendor. Or get a qualified and experienced DPO to help you.