GDPR Case Study # 2
Hi Folks, here is the second case study in the sequence that I've planned to publish. Incidentally, the heat is just on and would become hotter when regulatory push starts. It's going to be lots of anxiety on many fronts...! I'm watching...! You can join as well...!
A HIPAA compliant European Healthcare company Oasis Medico has outsourced its patient insurance claim services to a company in India. The Indian IT company Health-O-Big runs the back end services with exclusive team supporing Oasis Medico
When one of the key stakeholders of Oasis Medico was reviewing its GDPR compliance, she asked whether the Indian IT company is compliant to GDPR requirements. The Oasis Medico person responded saying that the Indian IT service provider Health-O-Big only validates Patients claims and do not modify any data
The Oasis Medico person felt that there was minimal to nil risk since the Indian IT service provider works on Citrix system and does not download any data. They only see the claims from the Customer and key it in a software and process the insurance claims. If you are GDPR expert how would you respond?
Note: All the names referred here are fictitious, any resemblance to real world is purely coincidental
Service provider should be compliant to GDPR requirements. Even though they are not downloading the data, they are still viewing the data and keying it in to another software.
Shriram S.