Which statement about outsourcing data protection implications is true?

• A. The firm must assess the organization can carry out the work securely and have a written contract detailing use and disclosure
• B. Firms must only notify the ICO
• C. Firms must never use written contracts with outsourcing
• D. Firms can ignore data protection when outsourcing

Answer: (A)

When you outsource, you still own the responsibility for protecting personal data. The most important requirement is to verify that the external organization can carry out the work securely and to put in place a written contract that governs how the data will be used and disclosed. This contract—often called a data processing agreement—should spell out processing purposes, what data is involved, how long it will be processed, and the instructions the processor must follow. It also covers security measures, rules about sub‑processors, breach notification, data subject rights, and how data will be returned or destroyed at the end of the engagement, including any international transfers. This formal arrangement ensures ongoing compliance with data protection laws and provides a mechanism to monitor and enforce protections even when operations are outsourced. The other options overlook these essential protections: merely notifying the ICO or avoiding a written contract, or thinking data protection can be ignored, do not establish the necessary control and accountability.