The General Data Protection Regulation (GDPR) is a sweeping new European Union (EU) privacy. The GDPR harmonizes data privacy laws across the EU and mandates how companies collect, store, delete, modify and otherwise process personal data of EU citizens. It applies to any company that processes personal data of EU citizens, regardless of whether such company has any physical presence in the EU, or even whether it has any EU customers.
1. What is GDPR?
The General Data Protection Regulation (GDPR) is a sweeping new EU law which mandates how companies can collect, store, delete, modify and otherwise process personal data of EU citizens. It applies to any company that processes personal data of EU citizens, regardless of whether it has any physical presence in the EU, or even whether it has any EU customers. Companies are also required to pass these obligations down to all of their vendors and suppliers who may also handle personal data of EU citizens anywhere in the world.
2. When will GDPR be the law?
GDPR comes into effect across the European Union on May 25, 2018. It’s a regulation (rather than a directive), meaning that it will instantly become law in all EU Member States on that date. Despite Brexit, the UK is committed to stay compliant with the GDPR.
3. Who does GDPR apply to?
The GDPR applies to all organizations established in the EU and to organizations, whether or not established in the EU, that process the personal data of EU data subjects in connection with either the offering of goods or services to data subjects in the EU or the monitoring of behavior that takes place within the EU. Personal data is any information relating to an identified or identifiable natural person.
4. What customers can do to prepare for GDPR?
For those that have already implemented a high bar for compliance, security, and data privacy, the move to GDPR should be simple. For those who are yet to start their journey to GDPR compliance, we urge you to start reviewing your security, compliance, and data protection processes now to ensure a smooth transition in May 2018. Here are some of the key points that you should consider for GDPR compliance:
- Territorial Reach: Determining whether the GDPR applies to an organization’s activities is essential to ensuring that organization’s ability to satisfy its compliance obligations. The GDPR applies to all organizations that are established in the EU. However, depending on your activities, the GDPR may also apply to you if you are established outside the EU.
- Data Subject Rights: The GDPR enhances the rights of data subjects in a number of ways. For example, data subjects have the right to object to the processing of their data and they have the right to data portability. You will need to make sure you can accommodate the rights of data subjects if you are processing their personal data.
- Data Breach Notifications: If you are a data controller, you will need to report data breaches to the data protection authorities without undue delay. Using 247RACK gives you control over how you want to process personal data and protect it. This gives you the ability to monitor your own environment for privacy breaches and to notify regulators and affected individuals as required under the GDPR. In addition, 247RACK will notify you without undue delay if we are aware of a breach of our security standards relating to the 247RACK network.
- Data Protection Officer (DPO): You may need to appoint a DPO who will need to manage data security and other issues relating to the processing of personal data.
- Data Protection Impact Assessment (DPIA): You may need to conduct, and in some circumstances you may be required to file with the supervisory authority, a DPIA for your processing activities. This will need to identify your data handling procedures and processes, as well as the controls in place to protect personal data.
- Data Processing Agreement (DPA): You may need a DPA that will meet the requirements of the GDPR particularly if personal data is transferred outside the EEA. Your account manager can answer questions related to appointing DPA for your organization.
247RACK offers a wide range of services and specific service features which help customers to meet requirements of the GDPR, including services for access controls, monitoring, logging and encryption. For our clients who are utilizing VMware solutions – Please refer to VMware official compliance statement here.
We also have teams of compliance, data protection, and Security experts, as well as 247RACK Partner Network Partners, working with customers across Europe to answer their questions and help them prepare for running workloads in the cloud after the GDPR becomes enforceable. For additional information on this, please contact your 247RACK Account Manager.
5. What should I do to get started with the GDPR compliance process?
Inform: review your vendor list and get comfortable with how data flows across your business, what type of personal data you collect and who has access. If 247RACK is one of your vendors, and you have determined that you need a DPA in place with 247RACK, our GDPR compliant DPA is available for download and signature as an attachment file linked to your account – note you must be logged in as account as administrator to access it.
Assess: undertake a risk assessment within your business and identify any gaps that need to be filled in order to meet GDPR compliance.
Plan: get in touch with us to understand how our products can help meet your compliance needs, and develop an action plan that is mindful of the May 25, 2018 deadline.
Act: implement your GDPR compliance program and make GDPR compliance an ongoing discipline.
6. How does 247RACK handle delete requests from clients?
247RACK services allow for the deletion of content by customers on demand, using the 247RACK Management Console, APIs, and other input methods. For more information about specific service functionality consult with your account manager.
7. What is the definition of “personal data” under GDPR?
The first and most important thing to realize is that the EU concept of “personal data” is much, much broader than the U.S. concept of “PII”. Under EU law, personal data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. It doesn’t have to be confidential or sensitive to qualify as personal data.
8. Do I Count as a Data Controller or Data Processor?
247RACK customers will typically act as the data controller for any personal data made available to 247RACK in connection with their use of 247RACK’s hosting or cloud services. The data controller determines the purposes and means of processing personal data, while the data processor processes data on behalf of the data controller. 247RACK, as the data processor, will process personal data on behalf of our customers in connection with providing the services to our customers.
9. What Types of Data does 247RACK Process?
We are generally just a conduit for information controlled by others, it’s our customers and their users who control the content transmitted, routed, switched and cached across our network (e.g. images, written content, graphics etc.). Additionally, we may gather certain information regarding use of our customers’ websites, and process data submitted by our customers or which we are instructed to process on their behalf during support requests or similar incidents or remote-hands requests approved by our clients. While it’s not up to us which data we receive, it typically includes items such as contact information, IP addresses, security fingerprints, DNS log data, and website performance data derived from browser activity. We will process such data in order to provide the service to our customers and in accordance with applicable l247RACK, including the GDPR.
The team at 247RACK is fully committed to complying with the requirements of the GDPR. We understand that compliance with a new set of privacy laws can be challenging, and we are here to help with your GDPR compliance initiative by providing you with state of the art GDPR compliant services.
Our legal and policy experts have closely analyzed the requirements of the GDPR and continue to monitor new guidance on best practices for implementing the requirements of the GDPR. We have taken these new requirements to heart and made changes to our products, contracts and policies to ensure that we are fully in compliance with the GDPR before May 25, 2018. We are also dedicated to helping you, our customer, succeed in complying with the GDPR.