The European Union (EU) General Data Protection Regulation (GDPR) is coming into effect on May 25, 2018, and companies are rushing to get ready. GDPR compliance is a vast area: here are just some of the questions that can help you determine your responsibilities.
1. Does GDPR apply to me?
GDPR applies to European businesses and organizations and overseas entities doing business with or tracking the behavior of EU residents. While there are many different criteria to go by, the following chart can be used as a guideline.
For companies and organizations based in Europe, it’s very clear: they must comply. For other businesses, every case needs to be assessed individually. For example, if your company’s website is accessed globally but you don’t deliver any goods to EU residents, you don’t have to worry. But if the same website tracks user behavior and delivers targeted advertising to the EU citizens, then GDPR applies to you. If you not sure, we recommend that you seek legal advice and allow yourself enough time to ensure compliance before the new law goes into effect.
Grey areas: It’s not clear how GDPR watchdogs in various EU member nations are going to sanction non-EU websites, or what are the responsibilities of third-party ad networks targeting EU users from these websites.
2. What is my role?
If GDPR applies to your company or organization, then you must determine your role within these new regulations. There are two options: Controller or Processor (it is possible to be both), and the following chart can help:
You may want to review basic GDPR concepts, in which we provide a detailed explanation of these roles, but the main reason behind the split is to separate responsibilities of the processor from those of the controller. If your company keeps all data in its own datacenter, then it is both a processor and a controller. But if your company uses the services of a cloud hosting provider or a service integrator, then it may become a processor and share the responsibilities of GDPR.
Grey areas: GDPR makes some exceptions to organizations with fewer than 250 employees, acknowledging that small and medium-sized enterprises pose a smaller risk to the privacy of EU residents. For example, Article 30 relieves both processors and controllers of such organizations from keeping the records of processing activities.
3. What must we do with historical data?
There are no clear guidelines regarding the use of historical data other than the general directive that all personal data must be used with its owner’s consent. For example, if your company is sitting on years’ worth of collected data (web server logs, order histories etc.), you won’t be able to use it without having to re-consent all of your data. This may be difficult and even cost-prohibitive for many organizations to do. The process would likely involve contacting every person in your databases and asking for permission to use their personal data for business purposes, such as sending them marketing materials or new product offers.
GDPR is going to reshape many companies’ marketing activities, changing how they handle personal data. For any data to be used, your company must ensure that it meets lawful conditions or risk hefty fines. The Information Commissioner (ICO) is currently defining guidance for organizations on what constitutes lawful data processing.
4. How do we ensure GDPR-compliant data storage?
GDPR is concerned with the privacy and safety of personal data, which can be improved by requiring companies to store personal data on the servers located inside the EU. Personal data must also be sufficiently protected from unauthorized access, hacking, and ransomware attacks.
The problem here is that many companies using third-party hosting providers or public cloud services don’t know where their data is physically located. Their hosting providers may have a local address, but their servers may be located in another country outside the EU, resulting in a potential breach of GDPR.
You’ll need to review all contracts with your service providers and cloud vendors to ensure that:
- They offer sufficient guarantees that their services meet the technical and organizational requirements of GDPR
- They don’t use any sub-contractors without your consent
- They agree to remove all of your data upon termination of your contract and provide sufficient proof that this has been done.
- They agree to report data breach incidents as required by GDPR.
It’s recommended to start with compliance tasks you can address immediately, such as upgrading your backup and storage infrastructure and services, making improvements to the security of personal data, and granting your customers their GDPR-defined rights as “data subjects” to control, alter, export and delete their personal data. Many of these requirements can easily be achieved with innovative and cost-effective data protection solutions such as Acronis Backup 12.5. Please visit www.acronis.com for more information.
Gray areas: There are no grey areas in regards to ensuring compliant data storage except in cases where GDPR touches non-EU organizations. It’s not clear whether foreign organizations will be allowed to store EU personal data in their existing data centers or have to sign deals with EU-based vendors.
5. Who’s job is it to ensure compliance within an organization?
GDPR requires many companies to establish the new role of Data Protection Officer whose job is to oversee GDPR compliance and deal with all issues related to the protection of personal data. This doesn’t mean that every company will have to put one more person on their payroll: the role may be shared by existing IT administrators or other personnel. It’s similar to the “abuse@” email address that IT companies are required to have, as it provides a single point of contact for all inquiries related to GDPR compliance.
Grey areas: Businesses outside of the EU are required to appoint an EU-based representative to act as a single point of contact for GDPR watchdogs. However, a representative is not required if company’s dealings with the EU citizens are occasional and do not involve large-scale processing of personal data, nor pose a risk to EU-based data subjects. It’s not clear how these parameters will be determined.
Start moving toward GDPR compliance with Acronis today!
Acronis can help you lift your backup and storage into GDPR compliance. Innovative solutions such as Acronis Backup 12.5, Acronis Backup Cloud (for service providers), and Acronis Storage can ensure that your and your customers’ data is protected, stored inside the EU and easily accessible.