May 25 is coming closer and the topic of the EU's General Data Protection Regulations (GDPR) is becoming hotter day by day. Being an international company with customers worldwide, including Europe, Jelastic is also actively preparing to meet the requirements. In order to do that, we made a thorough investigation of this topic and would like to share our findings with the partners, customers, and readers in general.
Every organization within the EU or those handling EU citizens’ data has to comply with the regulation and there is no compromise. GDPR cannot be overturned or repealed by any government as it has been agreed by all member states within the EU. Not meeting the requirements will lead to huge fines.
This new EU General Data Protection Regulation is not a re-invention of existing data protection rights, it only has a new emphasis. There are some other regulations and standards which overlap with GDPR, for example, the Payment Card Industry Data Security Standard (PCI DSS). For some, this will amount to a compliance-oriented architecture (COA). If this is the case, your organization has a good starting point, and may not need many adjustments to comply with GDPR.
The new GDPR also maintains the elementary principles of data protection – data minimization and transparency. Privacy by design and by default has a concept of minimization at its core. This is a minimum amount of data that is held to complete the task at hand.
Most likely, compliance with GDPR will improve data protection and security, increasing the trust of customers around the globe.
Who is Affected
Any company holding a person's data that is moving across EU jurisdictions will be affected, even if the company is not located in Europe.
GDPR introduces extensive and all-inclusive changes to privacy of data for anyone in the EU (from citizens to visitors and immigrants) and for any company that retains EU customer data.
Gartner recently predicted that only 50% of companies impacted by the tough regulation will be compliant by the end of 2018.
Non-EU companies will be a special target for higher fines.
What Data is Subject to Protect
GDPR requirements are far-reaching and thorough. It includes protection of personal information related to race, genetics, health, biometrics, sexual orientation, criminal convictions and offenses, political opinions, and others of this kind, that belongs to citizens and residents of European Union.
How Processing Should Be Performed
Data processing includes any manual or automated operation taken in relation to personal data, and includes the following actions: collection, recording, organisation, storage, adaptation or alteration, retrieval, gathering, use, disclosure by transmission, dissemination, or otherwise making information available, alignment or combination, blocking, erasure or destruction.
It is required to ensure that personal data is collected only for specific, explicitly stated and legitimate purposes, and further processed for this purpose fairly and lawfully. In addition, the data must be relevant to the processing purposes, correct and up to date. Also, companies have to ensure that all reasonable measures are taken to complete, correct, block or erase data, as well as that personal data is not kept for a period longer than necessary.
When Comes into Effect
Strictly speaking, GDPR has already been in force since May 2016, but thanks to a transition period, companies are only obliged to apply the regulation to its customer data from 25 May 2018.
If you want to comply with GDPR before the deadline — now is the last minute call to start preparing and enforcing yourself with a strategic vision and solution that not only simplifies the complex process of meeting and maintaining GDPR compliance but propels you to agile levels of IT infrastructure efficiency and security.
Why Take It Seriously
If breaking the regulation down, there are 99 Articles and 177 recitals to consider that need applying to the business. Ignoring the need for a security plan is a surefire way to fall under the GDPR hammer.
Not being prepared or complying with these new rigorous standards could cause your organization to pay out an incredible amount in fines up to €20 million or 4 percent of global annual revenue, whichever is greater.
Next Steps to Do
Audit Data and Document the Plan
To start with, you need to realize how the roadmap for achieving GDPR looks like for your organization. For this, you must audit your data to find out what type of data you’re managing, its location, reasons, and necessity to have access to it, how the data is being used, how long it is stored and what is the process of its deletion.
You have to develop and document a security plan to better protect your IT infrastructure and data—while fully complying with GDPR. The lack of established processes can almost guarantee that IT spends extra time chasing down failed file transfers or untracked, unmonitored, unsecured data.
Define Your Company as Controller or Processor
Determine if you’re a controller or a processor - both parties are liable for upholding data subject’s rights.
“Data controllers” are defined as any “person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of processing personal data.” This is estimated to be up to 80 percent of enterprises in the world and almost any cloud provider. For example, if your customers register using an email address, phone number, personal ID, credit card details etc., you are the Data Controller, according to the GDPR rules. It means that you take responsibility for personal data safety of your users.
“Data processors” are defined as any “person, public authority, agency or another body which processes personal data on behalf of the controller.” Under the GDPR, if controllers process any personal data in-cloud, the providers of these services (IaaS/PaaS and pure storage SaaS) are considered as processors. So cloud service providers fall into this category by default, and it's not surprising that over the past few years major providers have been quickly building out infrastructure across the EU, to address the new requirements.
In case with Jelastic, we have already 30 data centers within the European Union by partnering with local service providers. This lets European customers choose among a wide list of GDPR compliant providers and easily host their data due to local regulations without limitation to just one or two availability zones.
Set Up Notifications and Customer Preferences Selection
Under the GDPR, security breach notification is required in the event that data security was compromised. Without these notifications, you could face serious fines. GDPR requires that, within 72 hours, the data controller must notify the supervising authority and the data subject. Your updated security plan must also include your plan of response to a security breach, a notification list, the information required, and how to access the report information.
For every single use-case, customers should be able to select with what options they agree and what are declined.The company must comply and track their preferences.
Analyze Third Party Providers and Cloud Services
Audit your third-party providers and contractors, as well as re-evaluate service agreements with them. If a third-party cannot prove their GDPR compliance, the work they perform for your EU data is not legal.
Consider where the data centers of your service provider are located. Many companies are moving data centers to the EU to comply. Some cloud-based database providers can easily discern and segregate EU data for you.
Managed public cloud services at trusted and GDPR compliant data center providers may be more cost-effective and secure compared to in-house solutions. But definitely, some cloud providers will implement the highest possible security, passing costs on to all customers or offer tiered services where sensitive data hosting would have higher security levels and cost more.
Some organizations may conclude that the processing of personal data is so core to their business that they want to run the systems themselves (in-house). Then plans for GDPR should be well underway and an architecture that ensures compliance should be in place. Considering this possible flow, it is rather handy that Jelastic can be installed as a private cloud on premise, so our customers don’t need to get used to a new platform if they decide to move from the public cloud.
Appoint Data Protection Officer (DPO)
Due to GDPR, public authorities have to appoint a Data Protection Officer (DPO). Basically, a DPO is required if your company manipulates and processes sensitive personal data (e.g. banks, credit companies, healthcare), but if you only have HR data it is not needed to have a dedicated DPO.
It’s important to highlight that DPOs do not need to be members of the organization so they can be hired outside as consultants. There is no specific list of DPO credentials, but within Article 37 it is stated that a data protection officer does require to have “expert knowledge of data protection law and practices.”
The DPO expertise should align with the data processing operations of an organization and the level of required data protection. If you’re hiring external DPOs, make sure they understand not only the data specifics but also the business they work for.
Consider Country-Based Specifics
Data transfers to any of the 28 EU member states are still allowed, as well as to Norway, Liechtenstein, and Iceland. Transfers to such countries as Andorra, Argentina, Canada (for commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay, the European Commission (EC) deemed to have an "adequate" level of protection are also still possible. Outside of these areas, appropriate safeguards such as Binding Corporate Rules (BCRs) and standard contractual clauses (i.e., EU "Model Contracts") should be used.
EU-based data controllers should pay specific attention to new mechanisms under the GDPR when selecting or evaluating data processors outside the EU and ensure appropriate controls are in place. Outside of the EU, organizations processing personal data on EU residents should select the appropriate mechanism to ensure compliance with the GDPR.
It is important to check all details due to specific country you have connections with:
- Germany: In comparison to other countries, not everything will change fundamentally in Germany when GDPR comes into force. The EU has recreated some of GDPR’s foundations from German law. This applies in particular to the previous principle of the “Prohibition with the Right of Permission”. Accordingly, all types of processing of personal information are forbidden until the legislator explicitly permits processing or the person concerned gives their explicit consent.
- The UK: Brexit planned for 29 March 2019 will make no difference. UK-based organizations will face a 10-month period of compliance enforced by the EU itself. However, the terms of the GDPR will pass into UK law unless the government specifically repeals it. Furthermore, the UK’s Information Commissioner’s Office took a lead in defining GDPR and, as it stands, supports its core principles. The UK government has that the new rules will come into effect before Britain leaves the EU.
- The USA: One of GDPR requirements is that the transfer must only happen to countries deemed as having adequate data protection laws. The US is not listed as one of such countries. To meet the requirements, a special agreement called Privacy Shield is designed. It creates a program whereby participating companies are deemed as having adequate protection, and therefore facilitates the transfer of information.
- Non-EU companies need to assign a representative from EU supervisory country. This is going to be a point of contact for all communications with the GDPR supervisory body. It might be reasonable to engage a Data Protection Officer (DPO) that has the required expertise. It is needed if data processing operations require systematic and regular tracking and processing of data subjects on a large scale.
We expect that GDPR will bring back part of the data to the EU. Data controllers will give preference to local data center providers in the courtiers where personal data is collected as it will decrease the amount of paperwork and reduce the risk to be penalized. And here Jelastic meets the needs of customers partnering with 25 service providers that have data centers in EU and well-conceived processes of data collecting.
From the other hand, the majority of data controllers (i.e. website owners, mobile app developers, SaaS solutions) should improve both technical and legal aspects of personal data security within their companies to be compliant with GDPR and avoid fines.
In cloud industry, we will notice increasing demand on migration services and bigger attention to lock-in issue as many companies will have to shift from untrusted public clouds that are not compliant to domestic data center providers or even to on premise private clouds. The demand for hybrid and multi-cloud will also grow.
Find out more details how Jelastic can help you to meet GDPR requirements while hosting your projects in the cloud by contacting us via email@example.com