The 10 Minute Guide to Being GDPR Compliant
The 10 Minute Guide to Being GDPR Compliant and What it Means for Web Hosting and Managed Service Providers
The GDPR, or General Data Protection Act, is one of the most comprehensive privacy and data protection regulations to be adopted by the European Union (EU). Firms need to rethink and, most likely, change their privacy, security, and data governance strategies to comply.
And this legislation has teeth!
Failure to comply can result in ﬁnes of the greater of €20 million or 4% of a company’s annual global revenue, based on how bad the breach and damages are.
Here are some of the key points of the new regulations:
- The regulations impact any company that maintains personal data on EU individuals, no matter where the company is located. EU individuals have the right to request their records and have the right to be “forgotten.”
- Firms must conduct privacy impact assessments.
- Certain breaches of information require ﬁrms to notify EU authorities and, in most cases, notify end users.
- There are additional requirements for ﬁrms that conduct proﬁling and monitoring of EU individuals.
- Two main roles are identiﬁed:
– The “controller” of personal data: the entity which determines the purposes and means of the processing of personal data
– The “processor” of personal data: the entity which processes personal data on behalf of the controller. Examples of processing include storage, recording, organization, and retrieval.
Per GDPR, organizations that belong to either or both of those roles are liable and responsible for compliance.
Web hosters or managed service providers (MSPs) are categorized as data processors concerning their oﬀerings to clients, who, in turn, are considered the data controllers.
If you’re a web hoster or MSP with users in the EU, you are aﬀected by GDPR. The impact of non-compliance can be detrimental to your business.
Need another worry?
Since most hosters and MSPs use third-party SaaS tools, those tools must also be compliant. And just asking if those tools are GDPR compliant may not be enough. Veriﬁcation is essential.
What is Personal Data
Let’s start ﬁrst by explaining how personal data is deﬁned per GDPR:
‘Personal data’ means any information relating to an identiﬁed or identiﬁable natural person (known as a ‘data subject’). An identiﬁable natural person is one who can be identiﬁed, directly or indirectly, in particular by reference to an identiﬁer such as a name, an identiﬁcation number, location data, an online identiﬁer or to one or more factors speciﬁc to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
– Article 4 EU GDPR
Focusing on Getting GDPR Right the First Time is Key
So, here’s a quick guide to help you understand GDPR compliance, designed especially for hosting and MSP ﬁrms.
Quick Guide to Being GDPR Compliant
1. GDPR Overview
The protection of personal data is an integral part of the EU Charter of Fundamental Rights. Article 8 states that:
“Personal data should be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.”
This includes the right to be forgotten.
GDPR determines how ﬁrms must process, protect, and notify individuals living in the EU regarding their personal data. This includes all aspects of collecting, storing, transferring, or using that data.
As we saw in the previous deﬁnition, “personal data” as deﬁned by GDPR is broad and potentially includes identiﬁers such as email addresses and IP addresses.
The GDPR increases the enforcement of the regulations as well as the cost of the ﬁnes associated with noncompliance or breaches. Firms must comply with significantly increased obligations for how they handle and protect data.
2. Expanding the Rights of Individuals
The GDPR expands the rights of individuals in the EU by providing them the right to request copies of any personal information about them stored by a ﬁrm. Also, individuals in the EU have the right to have their personal data removed. This is commonly known as the “right to be forgotten.”
For ﬁrms in the MSP and hosting business, this means it is critical to keep accurate records on backups and archiving of personal data for any user located in the EU. It also means these ﬁrms must be able to quickly identify users’ personal data, provide accurate records of the data, and, if necessary, delete or recover the data.
3. Increasing Compliance Obligations
In addition to the expanded rights of individuals, the GDPR mandates that ﬁrms have policies and procedures in place to ensure the security of personal data. Further, ﬁrms should conduct impact assessments to validate that data security and privacy are being maintained.
Hosting and MSP ﬁrms need to create and implement policies and processes to ensure data security and integrity as well as data availability. Technical safeguards such as encryption, endpoint security and pseudonymization are recommended by GDPR to provide data security.
GDPR places additional burdens on ensuring that vendors of hosting and MSP ﬁrms are also compliant.
4. Required Notification of Data Breach and Security
Under the GDPR, ﬁrms must report data breaches to data protection agencies and, in most cases, to affected individuals within 72 hours. They must also be able to demonstrate when a breach occurred and identify the data that was accessed or altered.
Firms must also comply with more stringent security requirements to help enforce tighter controls over access and use of personal data.
The burden on hosting ﬁrms and MSPs is clear:
5. Requirements for Profiling and Monitoring Behavior
For ﬁrms that proﬁle or monitor the behavior of EU individuals, there are additional requirements governing those activities. The degree to which a firm engages in monitoring and profiling will affect GDPR’s impact.
The definition of what constitutes profiling and monitoring will change over time, making it an ongoing challenge for those ﬁrms to comply with GDPR.
For hosting and MSP ﬁrms, any activity associated with proﬁling or monitoring behavior of EU users will require compliance with these new requirements. Being able to assess current and future proﬁling and monitoring activities will be an essential consideration of any ﬁrm dealing with user data.
6. Appointment of a Data Privacy Officer May Be Required
Under the GDPR, there is an obligation for some organizations to appoint a data protection oﬃcer (DPO), especially if a ﬁrm is performing large scale systematic profiling and monitoring of individuals (for example, online behavior tracking).
However, we believe that appointing a DPO is best practice even if your ﬁrm is not obligated to select one.
The €20 Million (or more) Fine
How serious are these new regulations?
The teeth to these regulations are the penalties that can be the greater of €20 million or 4% of a company’s annual global revenue. That’s not EU revenue, that’s global revenue!
This amount will vary depending on how bad the breach or other noncompliance is. Still, it is a large enough number that anyone managing a ﬁrm, especially those with tight margins like hosting companies or MSPs, should be paying attention.
Not in the EU? You Still Need to Pay Attention
Even if your ﬁrm is not located in the EU, these regulations may still apply to you.
If you have EU users who have their personal information in your systems, then you will need to comply. The GDPR requirements apply to ﬁrms inside or outside the EU as long as they are storing or tracking personal data of EU individuals.
And in addition to addressing their own GDPR compliance, web hosters and MSPs should support their customers in the same endeavor.
How Dropsuite Can Help with GDPR
Dropsuite’s backup and archiving solutions were speciﬁcally designed to ensure continuous protection of data and compliance with various data regulations. Our powerful automated backup and archiving coupled with easy-to-use, one-click restore ensure your customers’ data is available and secure at all times.
In addition, our advanced search features make ﬁnding data lightning-fast and eﬃcient. This can greatly facilitate instances where retrieving personal data on an individual must be done under a tight regulatory deadline.
For more information on Dropsuite Email Backup and Archiving, Dropsuite Website Backup, or any of our other backup solutions, contact us at +1-408-780-2106 or internationally at +65 6813 2090. Or, you can email us at firstname.lastname@example.org.