Europe’s General Data Protection Regulation comes into effect May 25, 2018, bringing new rules around data collection, storage and usage. Are you ready?
With data breaches making headlines on a regular basis, consumers are rightfully wondering how data is being collected, stored and used by corporations.
The General Data Protection Regulation (or “GDPR”) is the European Union’s attempt at tackling this issue with a new rules around the collection, storage and processing of the information of EU Data Subjects – including end users, customers, and employees located in Europe. Even if you’re not a European company, it’s likely that GDPR applies to you.
GDPR goes into effect May 25, 2018, and the penalties for GDPR non-compliance can amount to up to €20 million, or four percent annual global turnover – whichever is higher. This should be a cause for concern for all companies. There are new responsibilities regarding customer data and your relationships with clients.
It can be really confusing for software developers and online service providers to know where they fit into all this. But luckily, if you understand your place in GDPR, you can be more confident in your compliance and also inspire trust in all relationships where people count on you to keep data secure.
Let’s start with helping you understand some important definitions: controllers and processors. Basically, a controller is the legal entity who determines the purposes and the means of processing personal data, and a processor is an entity that processes personal data on behalf of a controller.
Let’s go further into how this works out in practice.
Processors and Controllers
It’s basically a reality that the personally identifiable information that any one company handles is also handled by one or more entities. A simple example is an email newsletter service like MailChimp, which keeps a database of people who’ve agreed to get the newsletter on behalf of an original. When you have an external newsletter provider, you essentially trust your email newsletter service to act in a responsible way on your behalf under your instructions. If, for instance, they have a data breach, it’s their fault , but if you enroll people to your newsletter without their permission, that’s your fault.
GDPR takes these sorts of relationships into account by specifying the “controllers” and “processors”.
A controller “determines the purposes and means of the processing of personal data”, according to the official definition. In practice, this basically means being principally responsible for things such as collecting consent from data subjects, revoking consent, and fetching data under the right to access.
A processor basically acts on instructions from the controller; such as, collecting, storing, transferring or deleting personal data, all while maintaining the GDPR standards.
Going back to the newsletter example from above, let’s say a company called Business Inc. uses a third-party cloud service for their email newsletter who we’ll call CloudLetter Inc. One of their former customers decides they no longer want to receive the newsletter. In this case, even though the data is stored on servers belonging to CloudLetter (the data processor), Business Inc. is the data controller so they must be the ones receiving and initiating the request from the customer to removed. Then it’s the data processor’s responsibility to remove the revoked data from their servers.
Based on your particular circumstances, your company may the fit the definition of a controller, a processor, or both.
Web hosts, cloud services and app providers will often act as data processors to the clients who use their services. For instance, a department store may rely on an ecommerce service provider like Shopify to store their customer data and carry out transactions as a data processor on their behalf. The department store is the data controller in this case.
But there are many instances where you’ll be a data controller! As mentioned before, you may want to send an email newsletter through a third-party app, in which case you will be responsible for the dutiful handling of any personal information relating to the newsletter. Or you may have an external payment processor who you trust to handle the personal information of clients and their payment details.
As part of their GDPR responsibilities, data controllers need to ensure the data processors they use are GDPR-compliant in the handling of personal data entrusted to them.
GDPR holds data controllers liable for data protection noncompliance, but don’t think you’re off the hook as a data processor. The new regulation also makes data processors subject to penalties and civil claims by data subjects, and in some circumstances must designate a Data Protection Officer (or “DPO”).
In addition to meeting their GDPR requirements, service providers will want to assure their clients (as data controllers) that they’re trustworthy by issuing a GDPR statement or report. And understanding how your use your GDPR responsibilities as a data processor.
Understanding your Role as a Data Processor
It’s important to think about the flow of personal data from the perspective of controllers and processors. Just because data controllers are “in control” doesn’t mean that the processor should follow their orders blindly; they also have many stipulations around the security of data.
In addition, there are some GDPR stipulations that could affect how you operate as a data processing service provider.
As a data processor you must:
- Only process personal data on instructions from the controller, and inform the controller if you believe the instruction infringes on the GDPR
- Get written permission from the controller before engaging a subcontractor, and assume full liability for failures of subcontractors to meet the GDPR
- Delete or return all personal data to the controller at the end of service contract upon request
- Enable and contribute to compliance audits conducted by the controller or a representative of the controller
- Take reasonable steps to secure data (ie. encryption, pseudonymization, and regular security testing)
- Upon learning of a data breach, notify data controllers without undue delay
- Restrict personal data transfer to a third country or to an international organisation unless the proper legal safeguards are obtained
Under most circumstances, data processors will have to maintain a record of all categories of processing activities carried out on behalf of a controller. (Processors are only exempt from this if they have fewer than 250 employees, processes data only occasionally, doesn’t process data that is “likely to result in a risk to the rights and freedoms of data subjects”, and doesn’t process special data as outlined in Article 9(1) or data relating to criminal convictions).
Data processors that need to maintain records will be gathering the following information:
- the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer
- the categories of processing carried out on behalf of each controller
- where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards
- where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
If you’re a web host or cloud provider acting as a data processor or if you’re a controller, you’ll have to designate a Data Protection Officer (DPO), if your core processing activities require regular and systematic monitoring of data subjects on a large scale; or, if your core activities involve processing on a large scale of special categories of data (described in Article 9) and personal data relating to criminal convictions and offences (see Article 10 for more information).
What’s the function of the Data Protection Officer?
Article 39 goes into the responsibilities of the DPO, but the DPO is basically the person involved in all issues relating to the protection of personal data. They report to the highest management level and are reachable by data subjects, regarding the processing of their personal data and the supervisory authority. They must receive the necessary resources to fulfill their responsibilities and maintain expert knowledge through ongoing training, and neither receive instructions on nor be dismissed or penalized for the exercise of his/her duties. The DPO may also fulfill other tasks and duties beyond the GDPR, provided that they do not constitute a conflict of interest, and they may be employed or contracted.
As a web host, cloud service provider or app developer, it’s important to know:
- What relationships do you have where you’re a data processor?
- What relationships do you have where you’re a data controller?
- As a data processor, do you have mechanisms in place to carry out GDPR-required actions on behalf of the data controller?
- How can you meet the reporting requirements?
- Determine if you need a Data Protection Officer (DPO). If so, who should be given that role and how can you ensure they can carry out their responsibilities?
It’s important to go through your existing client relationships and data processes, and look at what you can change to be confident you’re meeting your GDPR obligations. This might require external help to be sure you’re meeting your due diligence.
Pretty much every business handles customer data in some way, but web hosts and cloud service providers can often do a lot of personal data collection, storage, and processing on behalf of their clients.
At its core, GDPR is about ensuring companies are using secure methods to collect and store data, and that customer data is being used in secure, reasonable and intended ways. These are all really good things.
As a web host, cloud service provider or app developer, your clients depend on you for their GDPR compliance and clients will want to deal with providers that have strong data protection policies in place.
Want to get your GDPR journey started? Use this free assessment tool from our partners at SecurePrivacy which helps you understand your unique situation in as little as 30 seconds. Need more? Our consultants and partner legal team are focused on GDPR and e-Privacy Directive compliance, so we can provide a holistic solution that saves you time and money by packaging up everything you need to address your compliance needs in as low cost a manner as possible. Contact us today!