General Data Protection Regulation (GDPR) Compliance
The European Union’s General Data Protection Regulation 2016/679 (GDPR) comes into effect on May 25, 2018, and it’s going to affect every business operating in the EU or dealing with EU customers. The new regulation replaces the outdated European Data Protection Directive that was adopted in 1995 and is designed to harmonize data privacy laws across the EU member states, protecting EU citizens’ personal data.
GDPR is really about standardizing the way businesses handle people’s personal data, and making consumers confident it’s in safe hands. Every time you commit to something online – like opening a bank account, joining a social networking website or booking a flight, you hand over vital personal information like your name, address and credit card number. This is personal and/or sensitive information. With high-profile data breaches and hacking on the rise, GDPR looks to tighten security and keep things safe.
Key terms and definitions
Controller– “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” This is you, the business operating in the EU or dealing with EU customers.
Processor– “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” This is your cloud storage provider and/or data protection vendor such as NetShop ISP.
Personal data– “any information relating to an identified or identifiable natural person.” This is the focal point and the reason for the entire GDPR.
Data subject– the person identifiable by the personal data. These are the people who may ask you to reveal, edit or delete the personal information that you store about them on your servers. You will have to answer every request in a timely manner or risk hefty fines.
Right to be forgotten– data subjects have “the right to have his or her personal data erased and no longer processed.” People may request that you delete all their personal data stored on your servers. At this stage, it is not clear if the right to be forgotten also means removing data from backups, because certain types of storage media, for example, tapes, do not allow deleting bits of data without destroying the entire backup. Your business may also be subject to certain backup retention policies for archiving and legal purposes.
Personal data breach– “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” You will have to report data breach incidents to “the supervisory authority” within 72 hours after becoming aware of it.
Service contract– a service agreement between controller and processor.
Data Protection Officer (DPO)– a new position in your company who will be responsible for all issues related to the protection of personal data.
Key requirements of GDPR
The GDPR requires any business operating in the EU or foreign business dealing with EU customers to store and process all personal data within the European borders (unless there is an explicit permission from the data subject to keep his or her data outside the EU).
Personal data can only be kept for as long as it is required for the initial purpose and must be protected in accordance with the new rules. Both the controller and the processor are required to 'implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk,' including data encryption and pseudonymization ('the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.')
The GDPR also calls for a comprehensive reporting mechanism to help the controller identify personal data stored on their servers and also confirm its storage location, encryption or deletion when requested. There must also be an easy way for an external auditor to verify your reports.T
What about non-EU companies? How does GDPR affect them and their dealings?
Many EU businesses have non-EU offices, or trade with non-EU companies. In fact, GDPR extends the scope of its EU data protection law to all foreign companies processing data of EU residents. In this way, things are actually made easier for non-EU companies. They will adhere to one set of standardized data protection regulations so they won’t need to wade through a minefield of differing rules depending on which country they’re working with.
Dealing with your cloud storage and data protection vendor
The GDPR impose new security and contractual requirements on organizations (controllers) dealing with cloud service providers an data protection vendors such as NetShop ISP (processors).
The relationship between controllers and processors can be summarized by the following points:
– Cloud service providers have to offer sufficient guarantee that the service meets technical and organizational requirements of the new regulation.
– Service contracts between the controller and the processor prohibit the use of subcontractors without the consent of the controller.
– On termination of the service contract, all data must be removed from the cloud and the processor must provide sufficient proof that it has been done.
– Controllers have a duty to report data breach incidents to the regulatory body.