Under the Data Protection Act 2018, you must not allow a third party access to personal information kept in your database. However, you can provide personal information to a third party if:
The General Data Protection Regulation (GDPR) came into effect in the UK on 25 May 2018. Alongside the Data Protection Act 2018, the GDPR introduces new rules on processing and safeguarding personal data.
If you outsource certain processes that need access to your database of personal information - eg for email marketing - your business will remain liable for the information and keep full control over its use. In the event of a Data Protection Act 2018 breach, you are liable.
Protect customers' personal information
You must take the appropriate measures to protect the personal information you have, whether or not you process it yourself or outsource it. In order to decide what measures are appropriate, you should consider:
Under the Data Protection Act individuals and organisations that process personal information need to register with the Information Commissioner’s Office(ICO) and pay a fee, unless they are exempt.
If you employ another business to process personal information for you, you must obtain evidence from them that they can do so in a secure manner. It is also highly recommended that you regularly check this yourself.
In order to ensure compliance with GDPR and information security, you must have a written contract with them, which:
If you outsource processes
to a business outside the European Economic Area, you will have to take further