The General Data Protection Regulation (GDPR) has been in effect since May 2016. This EU regulation constitutes a sharpening of existing privacy legislation, and the deadline for businesses and organisations to ensure compliance with the new legislation expires on 25 May 2018. How does this affect CloudVPS’ customers?
This blog post will tell you all about the GDPR, the measures CloudVPS is taking to ensure compliance and tips to make sure you aren’t in violation.
What is the GDPR?
The GDPR is the new European privacy law. It replaces current legislation that was created during a time when internet didn’t play such a major role in society and much less data was generated than today.
The GDPR is quite different from the old legislation. In a nutshell, people will get more control of their own personal data. And when it comes to collecting personal data, businesses face more rules to ensure privacy remains protected.
The key points of the GDPR:
You must have valid grounds to process data – You can only process data if you have good reasons to do so. There are valid grounds for processing data if it is required to keep to the agreement with your client. For example, if you’re running a web shop you’ll be storing your customer’s address. You need it to deliver the items, which provides valid grounds. Hence you do not require any explicit approval from your customer. Alternatively, you may not need your customer’s date of birth in order to deliver your product. In that case you are not allowed to ask your client for that information. Other examples of valid grounds are analysing your website’s performance or emailing newsletters with new information about a previously purchased item.
Processing special personal data, such as information about a person’s health or a finger print, is not allowed unless explicitly exempted by law. Medical specialists for example need to store medical details of patients for the benefit of their treatment.
Consumers get more control of their own data – People have the right to know how you are handling their personal data. You can put up a privacy statement on your website where this is explained in clear (non-legal) vocabulary. You are also obliged to explain where people can turn to for questions, modifications and removal of their data.
Expanded definition of personal data – In the GDPR personal data no longer just includes data that can be directly traced to an individual, but also data that makes this possible indirectly. This includes the combination of postal code and date of birth. If only one person above 80 lives in a certain street for example, the information can be traced to that specific person.
You are responsible for the actions of your suppliers and partners – Under the GDPR you are responsible for the data you process at all times, including when third parties are employed to do so. In the case of a data leak, you cannot hide behind the third party storing your data. In addition, you are obliged to conclude a data processing agreement with your suppliers, determining which data they will be processing. Consequently you will need proper insight into all suppliers that are processing data for you, and you must conclude sound agreements to cover this.
Limitations to where data can be stored – According to the GDPR, personal details may in principle only be stored in the EU and several other countries marked as safe by the EU. For some of the safe countries, additional requirements apply. The United States are on this list; the additional requirement here is that providers from the US must meet the requirements of the Privacy Shield. This means that you are in legal violation when using an American cloud provider for data storage that does not meet Privacy Shield.
What can you do to ensure GDPR compliance?
Create an internal privacy register – Map out internally which personal data is processed by your organisation and third parties. It is mandatory to draft such an overview containing meta-information (a privacy register) which helps determine whether you’ve got valid grounds to collect certain information. When it comes to special data, extra attention is required!
- Know where your data is stored – As mentioned before, you can rest assured that CloudVPS stores your data in the EU. But does this also apply for your other suppliers? Do you know exactly where your email marketing software stores your data? And which data is processed in certain plugins in your WordPress site and where it is stored?
Be careful about choosing your data partners – Apart from your data partners’ geographic location, there are some other things to take into account as well. How secure is their data storage? Conclude processing agreements with these partners defining what type of personal data they process and agreeing that they ensure this is done securely.
- Determine whether you need a data protection officer – The GDPR describes under which circumstances companies are obliged to appoint a Data Protection Officer (PDO). Generally speaking, this applies to governments and businesses involved in large-scale profiling, but it can’t hurt to find out if the obligation applies to your company as well. Even if it does not, you may still want to appoint a DPO to demonstrate that you are taking privacy seriously.
The importance of GDPR compliancy
As mention before, non-compliance with the GDPR can lead to large fines. However, this shouldn’t constitute the primary reason for ensuring compliance. The GDPR is nothing more than an update of legacy privacy legislation to the standards of the 21st century. Any company that values its customers’ privacy should embrace this new legislation for that reason alone.
How does CloudVPS ensure compliance?
CloudVPS processes data. It is therefore our responsibility to treat the data with care, something we’ve always been committed to. We possess various security certificates including ISO 27001 and NEN7510.
We are currently preparing for the GDPR. We have completed our privacy register and are concluding data processing agreements with our suppliers. The next step will be to invite you as our customer to conclude a data processing agreement with us, if you are using CloudVPS for storing personal data.
CloudVPS’ customers are guaranteed to have their data stored in the EU unless they have specifically requested otherwise. This ensures that your customers’ data is stored within EU borders and meets the GDPR’s geographic requirements.