Tick Tock – GDPR is just round the corner!
Lets get this straight GDPR affects lawyers big style! If you don’t know what GDPR stands for (General Data Protection Regulation) then you have some serious catching up to do. Hosting and GDPR? If you are hosted then you still have a problem but at least you can share it with your host. Having said that you need to make sure your host is ready!
When’s it coming in? May 2018! What about Brexit? Is it still going to affect us?
Yes it is, GDPR will apply in the UK from 25 May 2018.
The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
Ok some questions about how the GDPR would apply in the UK on leaving the EU this should not distract from the important task of compliance with the GDPR.
So remember GDPR applies to ‘controllers’ and ‘processors’ and affects ‘data subjects’
The controller says how and why personal data is processed and the processor acts on the controller’s behalf
Hosting and GDPR in general terms?
If you are a law firm and are NOT hosted then you are a processor and controller and the data you keep is on data subjects. In this case the GDPR places specific legal obligations on you.
With the current EU Data Protection Directive (EDPD) it is data controllers rather than processors that need to comply with the act. So cloud providers like DPS Cloud (Processors) are not subject to the directive. Most cloud providers do the bidding of their controller (you the hosted company). In effect the host, DPS Cloud are doing what they are told by you.
Hosting and GDPR – what am I? Controller, Processor? What?
So Processors carry out out the bidding of the controller. So in this case companies like DPS Cloud are not normally directly subject to the EDPD rules.
GDPR changes all that; it recognises that processors play a huge role in protecting personal data. So DPS Cloud and Processors like us are subject to the new rules. That’s why Hosting & GDPR are bound together. if you are hosted you’ll need an amended contract or contact terms that cover this for you.
Now having said that as a controller you still have responsibilities in fact the GDPR means you need to ensure your contracts with processors comply with the GDPR and you fulfill your responsibilities as a controller.
If you thought this is all very complicated then, you’d be right and wrong. It is a minefield but there is nothing to fear providing you follow the rules. You need to comply and be seen to comply.
Hosting and GDPR – exactly what information does the GDPR apply to?
With a detailed definition of personal data that makes it clear that information such as an online identifier – like an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers. It reflects changes in technology and the way organisations collect information about people.
Sensitive personal data
The GDPR refers to sensitive personal data as “special categories of personal data” (see Article 9). Special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.
Personal data relating to criminal convictions and offences is not included, but similar extra safeguards apply to its processing (Article 10).
Hosting and GDPR – look here, let’s get this clear and simple – don’t keep data longer than you have to!
What are the penalties for non-compliance?
Up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements like not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.
There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors.
‘explicit’ or ‘unambiguous’ data subject consent – what’s the difference?
Consent must be given in an intelligible and easily accessible form with the purpose for data processing attached to that consent. This means it must be unambiguous. Consent must be clear and distinguishable from other matters and intelligible and in an easily accessible form using clear and plain language.
It must be as easy to withdraw consent as it is to give it.
Explicit consent is required only for processing sensitive personal data – in this context, nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent is fine.
What about Data Subjects under the age of 16?
Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent but this will not be below the age of 13.
What is the difference between a regulation and a directive?
A regulation is a binding legislative act. It must be applied in its entirety across the EU, while a directive is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to decide how. It is important to note that the GDPR is a regulation, in contrast the the previous legislation, which is a directive.
How does the GDPR affect policy surrounding data breaches?
Proposed regulations surrounding data breaches primarily relate to the notification policies of companies that have been breached. Data breaches which may pose a risk to individuals must be notified to the DPA within 72 hours and to affected individuals without undue delay.