What is the GDPR?
The GDPR is a European Union regulation that establishes a new framework for handling and protecting the personal data of EU-based residents. It comes into effect on May 25, 2018.
The General Data Protection Regulation (GDPR) is a regulation that was agreed upon by the European Parliament and Council in April 2016 [Regulation (EU) 2016/679] and is meant to replace the Data Protection Directive of 1995 [Directive 95/46/EC], which was enacted to regulate how companies should protect the personal data of EU citizens.
Personal data plays a huge part in society and the economy. It is essential that people have—and know they have—control and clarity over how their data is used and protected by any organisation they interact with, and that organisations are given clear guidelines to protect their personal data.
One of the aims of the GDPR is to harmonise and bring data privacy laws across Europe up to speed with the rapid technological change in the past two decades. It builds upon the current legal framework in the European Union, including the EU Data Protection Directive in existence since 1995.
GDPR is much different from its predecessor Directive 95/46/EC. Unlike a directive, GDPR is a regulation, and it does not require national governments to pass any enabling legislation, and is thus directly binding and applicable in all EU states. Since GDPR will be effective on May 25, 2018, all EU-based companies, that are already in compliance with the current directive, must prepare accordingly so that they meet the requirements of the new regulations.
GDPR’s scope is not just limited to EU, but also includes all foreign companies processing data of EU residents. These could be, for instance, American or Canadian companies engaged in such business.
The following are some of the key requirements of the General Data Protection Regulation (GDPR):
- Sending notifications of data breach incidents
- Obtaining the consent of the subjects for data processing
- Ensuring anonymity in data collection for privacy
- Ensuring safety in the transfer of data across borders
- Providing single set of rules and one-stop shop
- Requiring certain companies to appoint a data protection officer (DPO) to oversee compliance
The GDPR guidelines are quite comprehensive there are 11 Chapters and 99 Articles under the General Data Protection Regulation. Some of the more crucial articles are outlined below.
Article 31 provides guideline for instances of single data breaches, and details which Supervising Authorities (SAs) must be informed of the same, within 72 hours of learning about a breach. They must also be provided with details, such as the nature of the breach and the approximate number of data subjects affected by it.
Article 32, on the other hand, concerns the rights and freedom of the data subjects. It requires that data controllers must inform the data subjects as soon as possible when the breaches put their freedom and rights at a high risk.
Article 45 discusses what international companies or third country need to comply with, and what the Commission takes in to account when assessing the adequacy of the level of protection in specific geographic area.
GDPR: Key changes
The GDPR brings with it a shift in mindset. It expressly introduces several principles that previously underpinned data protection law, such as the “accountability principle” and “privacy by design,” and encourages organisations to take more responsibility for protecting the personal data they handle.
Privacy by design: This means that organisations handling personal data need to think about data protection when designing systems, not just review privacy implications after a product or process is developed. If you process a lot of data or deal with sensitive information, in many cases you’ll also need to conduct data protection impact assessments to meet the privacy by design principle.
User rights: The GDPR expands the existing set of user rights and creates several entirely new rights. Companies should review and ensure they have effective systems in place to give effect to these rights.
Tougher breach notification rules: Under the GDPR, organisations are required to have a strong breach notification system in place and understand their specific reporting obligations.
Accountability: Not only must your company adhere to the principles set out in the GDPR, but you must also demonstrate that compliance in line with the principle of accountability. This requires a comprehensive and clear internal privacy governance structure.
Data protection officer: The GDPR requires companies that engage in processing of EU user data to determine if they should appoint a Data Protection Officer. Companies that routinely process large volumes of information or particularly sensitive information should consider appointing a DPO.
What are your obligations under the GDPR?
- It is important to remember that you, as the business customer and the data controller, have specific legal obligations under the GDPR. What Are data controllers obligations?
- You should be confident that any providers (data processors) which you work with have a highly robust approach to data protection, understand the obligations of the GDPR, and are well prepared to meet them.
- Remember, however, that no provider can offer to “solve” GDPR compliance for you. As each business has its very own distinct Journey to GDPR compliance
How will Host-IT comply with the GDPR?
- Host-It have reviewed all internal systems we use which contain personal data and have checked with third party system providers to see if they meet GDPR compliance. And they do all our systems are built with data protection in mind
- Host-It Cloud backup systems are fully compliant as none of the data stored in the system is in plain text and is encrypted with an AES 256bit encryption key rendering the data useless without the encryption key. The data is transmitted using SSL protocol and is encrypted at rest on the client side before transmission and is held on the storage devices in our data centers in its encrypted format.
- Host-It use data centers that meet the ISO 27001 standard.
- All Data is stored in Ireland EU member state.
- Online Backup terms and conditions are outlined here
The cloud has a silver lining
Cloud backups therefore make a lot of sense as part of an effective GDPR compliance strategy. Arguably, they’re the most effective way for controllers to deal with the greater emphasis GDPR places on meeting contractual obligations with processors, and ensuring compliance. Meanwhile, cloud storage and backups will make it far easier for processors, who must plan for maintaining records of all processing and use of personal data – and prepare for the increased legal liability for any data breach.
At best, ‘legacy’ backup methods such as disk or even tape-based backup make it time-consuming and difficult to locate, amend or delete personal data at consumers’ request. At worst, this won’t even be possible – at least not within the strict timeframes the new Regulation will enforce. With this in mind, secure cloud backups with a provider that fully understands the intricacies and implications of GDPR are perhaps the best preparation for its enforcement in May 2018.
GDPR disaster recovery
Of course, having a robust disaster-recovery plan for any business-critical data is a fundamental IT requirement for any business. But with GDPR imminent, now is the time for businesses and organisations collecting EU consumer data to evaluate – and most likely improve – their disaster-recovery set-up. Losing data through human error or hardware failure can cause problems most businesses would prefer to not even think about, but controllers and processors’ liability will increase significantly when GDPR becomes fully enforceable. So, as with accessing, amending and deleting personal data on request as described above, disaster recovery under GDPR will be far easier and efficient with a cloud-based backup plan. In fact, a cloud-based strategy should help avert any such ‘disaster’ in the first place.
GDPR – the cloud and compliance
Let’s not forget that, while immensely useful for protecting data and making it more accessible and easier to manage, the cloud is still vulnerable. So simply migrating all your data to a cloud backup doesn’t wash your hands of any threat or responsibility. Businesses and organisations must not only continue to protect the data that remains in their own systems and hardware – perhaps through their own encryption and hardware backups – but also ask questions about how the personal data they entrust to a cloud provider is protected.
It’s important to remember that using cloud services effectively grants your provider access to the data you place in their care. Almost inevitably, one or more of their people will have access to the personal data you’re looking to safeguard. Meanwhile, the liability for the security of that data remains yours, and will only increase when GDPR becomes into full effect on 25 May 2018.
With GDPR imminent, it’s also crucial that businesses keep their own cloud access credentials secure. A cloud provider’s service might be excellent in itself, but if access credentials aren’t monitored and guarded properly, this can cause expensive and reputation-damaging security and data breaches. This is a strong argument for appointing a Data Protection Officer to oversee the policies and strategies that will support your GDPR compliance.
The case for encryption
Encryption is a very useful tool for protecting data. While businesses and organisations can encrypt their own data before migrating to the cloud, as part of protecting against cyber attacks, a good cloud provider’s encryption will likely be more robust and up to date, and more effective in supporting GDPR compliance.
Significantly, encryption can be the difference between a security breach and a data breach. Under GDPR rules, a leak of encrypted data is considered unlikely to put people’s rights and freedoms at risk, so it won’t be mandatory to report it, and it therefore won’t incur the significant fines.
The GDPR deadline is looming
The General Data Protection Regulation becomes enforceable on 25 May 2018. We’ve covered the fundamentals here, but every business or organisation will have different needs and require a tailored response to GDPR.
If you haven’t already, it’s time to begin sourcing and implement the right strategies for GDPR compliance.
Common GDPR Questions:
Here are a few of the more common questions we have heard regarding GDPR.
- GDPR will only affect citizens in the EU.
Answer: The changes that are being made by companies such to comply with GDPR will almost certainly apply to customers from all countries. And that’s a good thing. The protections afforded to EU citizens by GDPR are something all users of our service should benefit from.
- After May 25, 2018, a citizen of the EU will not be allowed to use any applications or services that store data outside of the EU.
Answer: False, no one will stop you as an EU citizen from using the internet-based service you choose. But, you should make sure you know where your data is being collected, processed, and stored. If any of those activities occur outside the EU, make sure the company is following the GDPR guidelines.
- My business only has a few EU citizens as customers, so I don’t need to care about GDPR?
Answer: False, even if you have just one EU citizen as a customer, and you capture, process or store data their PII outside of the EU, you need to comply with GDPR.
- Companies can be fined millions of dollars for not complying with GDPR.
Answer: True, but: the regulation allows for companies to be fined up to €20 Million or 4% of global revenue (whichever is greater) if they don’t comply with GDPR. In practice, the feeling is that such fines will be reserved (at least initially) for egregious violators that ignore or merely give “lip-service” to GDPR.
- You’ll be able to tell a company is GDPR compliant because they have a “GDPR Certified” badge on their website.