The 10 Minute Guide to Being GDPR Compliant and What it Means for Web Hosting and Managed Service Providers
The GDPR or General Data Protection Act is one of the most sweeping privacy and data protection regulations to be introduced in the European Union. Firms need to rethink and, most likely, change their privacy, security, and data governance strategies to comply.
And this new legislation has teeth!
Failure to be compliant can result in fines of the greater of €20 million or 4% of a company’s annual global revenue, based on how bad the breach and damages are.
Here are some of the key points of the new regulations:
- The regulations impact any company that maintains personal data on EU Individuals no matter where the company is located
- EU Individuals have the right to request their records and have the right to request to be ‘forgotten’
- Firms must conduct privacy impact assessments
- Certain breaches of information require firms to notify EU authorities and in some cases, notify the end users
- There are added requirements for firms that conduct profiling or monitoring of the behavior of EU users
- Two main roles are identified:– The “Controller” of Personal Data: the entity which determines the purposes and means of the processing of personal data.
– The “Processor” of Personal Data: the entity which processes personal data on behalf of the controller. Examples of Processing: Storage, recording, organization or retrieval.
Per GPDR, organizations who belong to either or both of those roles are liable and responsible.
Web hosters or MSPs are categorized as data processors in relation to their offerings to end-clients, who, in turn, are considered the data controllers.
If you’re a Web Hoster or Managed Service Provider (MSP) with users in the EU, you are affected by GDPR and the impact of non-compliance can be catastrophic to your business.
Need another worry?
Since most Hosters and MSPs use third-party SaaS tools, those tools must also be compliant. And just asking if those tools are GDPR compliant may not be enough. Verification is essential.
What is Personal Data
Let’s start first by explaining how Personal Data is defined per GDPR.
‘Personal data’ means any information relating to an identified or identifiable natural person (known as a ‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
– Article 4 EU GDPR
Focusing on Getting GDPR Right the First Time is Key
So here’s a quick Guide to help you understand GDPR Compliance, designed especially for Hosting and MSP firms.
Quick Guide to Being GDPR Compliant
1. GDPR Overview:
Protection of Personal data is an integral part of the EU Charter Fundamental rights. Article 8 states that,
“Personal data should be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.”
And this includes the right to be forgotten.
GDPR determines how firms must process, protect and notify users regarding their personal data for anyone living in the European Union. This includes all aspects of collecting, storing, transferring or using that data.
An important note is, as we saw in the definition above, “personal data” as defined by GDPR is broad, and potentially includes identifiers such as email address and even an IP address!
The GDPR increases the enforcement of the regulations as well as the cost of the fines associated with non-compliance or breaches. Firms must comply with greatly increased obligations for how they handle and protect data.
2. Expanding the Rights of Individuals
The new GDPR expands the rights of individuals in the European Union by providing them the right to request copies of any personal information about them stored by that firm. In addition, individuals in the EU have the right to have their personal information removed. This is commonly known as the “right to be forgotten.”
For firms in the MSP and Hosting business, this means it’s critical to keep accurate records and backups/archives of all end-user personal data for any user located in the EU. It also means these firms must be able to quickly identify users’ personal data, provide accurate records of the data, and if necessary delete the data.
3. Increasing Compliance Obligations
In addition to the expanded rights of individuals, the GDPR also mandates that firms have policies and procedures in place to ensure the security of that data. Further, firms must conduct privacy impact assessments to validate that security and privacy are being maintained.
The regulations also require firms to be able to provide detailed records of any data activities associated with the EU users.
For Hosting and MSP firms, this places the unavoidable burden of creating policies and processes to ensure data security and integrity. Technical safeguards such as encryption, end-point security, and pseudonymization would need to be implemented.
GDPR also places additional burdens on ensuring that vendors of these firms are also compliant.
4. Required Notification of Data Breach and Security
Under the GDPR firms must report some types of data breaches to authorities of data protection. And in some special circumstances, firms must report these data breaches to the users impacted by the breach.
Firms must also comply with more stringent security requirements to help enforce tighter controls over access and use of personal data.
The burden on firms, including Hosting firms and MSPs, is clear:
- They must know when the breach occurred
- They must be able to identify exactly what information may have been accessed, edited or deleted
- They must take appropriate and quick action to notify data protection authorities and in some cases the affected individuals
5. Requirements for Profiling and Monitoring Behavior
For firms that profile or engage in monitoring behavior of EU users, there are added requirements for how that profiling and monitoring is to occur. How much this impacts each firm is subject to how much monitoring or profiling occurs.
Making it more difficult for firms is the fact that these types of profiling and monitoring activities can change over time.
For Hosting and MSP firms, any activity associated with profiling or monitoring behavior of EU users will require compliance with these new requirements. Being able to assess the types of profiling and monitoring that may already be happening, or may start happening at some later point in time will be an important element of any firm dealing with user data.
6. Appointment of a Data Privacy Officer May Be Required
Under the GDPR there is an obligation for some organizations to appoint a data protection officer (DPO), especially if a firm is performing large-scale systematic monitoring of individuals (for example, online behavior tracking).
However, we believe that appointing a DPO is best practice even if your firm is not obligated to appoint one.
The €20 Million (or more) Fine
How serious are these new regulations?
Try €20 Million or more serious!
The teeth to these regulations are the penalties that can be the greater of 20 Million Euros or four percent of a company’s annual global revenue. That’s not EU revenue, that’s global revenue!
This amount will vary depending on how bad the breach and resulting damages are. Still, it’s a large enough number that anyone managing a firm, especially firms with tight margins like Hosting companies or MSPs should be paying attention.
Not in the EU? You Still Need to Pay Attention
Even if your firm is not located in the EU, these regulations may still apply to you.
If you have users who live in the EU who are having their personal information in your systems, then you will need to comply. The GDPR regulations apply to firms inside or outside the EU as long as they are storing or tracking personal data for EU individuals.
And in addition to addressing their own GDPR compliance, Web Hosters and MSPs should support their customers in the same endeavor.