Slice handling EU citizens’ data has to comply

Slice and Dice EU GDPRMay 25 is coming closer and the topic of the EU’s General Data Protection Regulations (GDPR) is becoming hotter day by day. Being an international company with customers worldwide, including Europe, Jelastic is also actively preparing to meet the requirements. In order to do that, we made a thorough investigation of this topic and would like to share our findings with the partners, customers and readers in general.IntroductionEvery organization within the EU or those handling EU citizens’ data has to comply with the regulation and there is no compromise. GDPR cannot be overturned or repealed by any government as it has been agreed by all member states within the EU. Not meeting the requirements will lead to a huge fines.This new EU General Data Protection Regulation is not a re-invention of existing data protection rights, it only has a new emphasis. There are some other regulations and standards which overlap with GDPR, for example the Payment Card Industry Data Security Standard (PCI DSS). For some, this will amount to a compliance-oriented architecture (COA). If this is the case, your organization has a good starting point, and may not need many adjustments to comply with GDPR.The new GDPR also maintains the elementary principles of data protection – data minimization and transparency. Privacy by design and by default has a concept of minimization at its core. This is a minimum amount of data that is held to complete the task at hand.Most likely, compliance with GDPR will improve data protection and security, increasing trust of customers around the globe.Who is Affected Any company holding a person’s data that is moving across EU jurisdictions will be affected, even if the company is not located in Europe. GDPR introduces extensive and all-inclusive changes to privacy of data for anyone in the EU (from citizens to visitors and immigrants) and for any company that retains EU customer data. Gartner recently predicted that only 50% of companies impacted by the tough regulation will be compliant by the end of 2018.Non-EU companies will be a special target for higher fines.What Data is Subject to ProtectGDPR requirements are far-reaching and thorough. It includes protection of personal information related to race, genetics, health, biometrics, sexual orientation, criminal convictions and offenses, political opinions, and others of this kind, that belongs to citizens and residents of European Union.How Processing Should Be PerformedData processing includes any manual or automated operation taken in relation to personal data, and includes the following: collection, recording, organisation, storage, adaptation or alteration, retrieval, gathering, use, disclosure by transmission, dissemination, or otherwise making information available, alignment or combination, blocking, erasure or destruction.It is required to ensure that personal data is collected only for specific, explicitly stated and legitimate purposes, and further processed for this purpose fairly and lawfully. In addition, the data must be relevant to the processing purposes, correct and up to date. Also, companies have to ensure that all reasonable measures are taken to complete, correct, block or erase data, as well as that personal data is not kept for a period longer than necessary.When Comes into EffectStrictly speaking, GDPR has already been in force since May 2016, but thanks to a transition period, companies are only obliged to apply the regulation to its customer data from 25 May 2018.If you want to comply with GDPR before the deadline — now is the last minute call to start preparing and enforcing yourself with a strategic vision and solution that not only simplifies the complex process of meeting and maintaining GDPR compliance, but propels you to agile levels of IT infrastructure efficiency and security.Why Take It SeriouslyIf breaking the regulation down, there are 99 Articles and 177 recitals to consider that need applying to the business. Ignoring the need for a security plan is a surefire way to fall under the GDPR hammer.Not being prepared or complying with these new rigorous standards could cause your organization to pay out an incredible amount in fines up to €20 million or 4 percent of global annual revenue, whichever is greater.Next Steps to DoAudit Data and Document the PlanTo start with, you need to realize how the roadmap for achieving GDPR looks like for your organization. For this, you must audit your data to find out what type of data you’re managing, its location, reasons and necessity to have access to it, how the data is being used, how long it is stored and what is the process of its deletion.You have to develop and document a security plan to better protect your IT infrastructure and data—while fully complying with GDPR. The lack of established processes can almost guarantee that IT spends extra time chasing down failed file transfers or untracked, unmonitored, unsecured data.Define Your Company as Controller or ProcessorDetermine if you’re a controller or a processor – both parties are liable for upholding data subject’s rights.”Data controllers” are defined as any “person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data.” This is estimated to be up to 80 percent of enterprises in the world. For example, if you own a blog that allows to register using email address, or a SaaS-service, you are the Data Controller, according to the GDPR rules. It means that you take responsibility of personal data safety of your users, such as email address, phone number, personal ID, passport number, etc.”Data processors” are defined as any “person, public authority, agency or other body which processes personal data on behalf of controller.” Cloud service providers fall into this category by default, and it’s not surprising that over the past few years major providers have been quickly building out infrastructure across the EU, to address the new requirements. In case with Jelastic, we have already 30 data centers within European Union by partnering with local service providers. This lets european customers freely host their data due to local regulations and not to be limited with one or two availability zones.Set Up Notifications and Customer Preferences SelectionUnder the GDPR, security breach notification is required in the event that data security was compromised. Without these notifications, you could face serious fines. GDPR requires that, within 72 hours, the data controller must notify the supervising authority and the data subject. Your updated security plan must also include your plan of response to a security breach, a notification list, the information required, and how to access the report information.For every single use-case customers should be able to select with what options they agree and what are declined.The company must comply and track their preferences.Analyze Third Party Providers and Cloud ServicesAudit your third-party providers and contractors, as well as re-evaluate service agreements with them. If a third-party cannot prove their GDPR compliance, the work they perform for your EU data is not legal.Consider where the data centers of your service provider are located. Many companies are moving data centers to the EU to comply. Some cloud-based database providers can easily discern and segregate EU data for you. Managed public cloud services at trusted and GDPR compliant data center providers may be more cost effective and secure compared to in-house solutions. But definitely some cloud providers will implement the highest possible security, passing costs on to all customers or offer tiered services wherev sensitive data hosting would have higher security levels and cost more. Some organizations may conclude that the processing of personal data is so core to their business that they want to run the systems themselves (in-house). Then plans for GDPR should be well underway and an architecture that ensures compliance should be in place. Considering this possible flow, it is rather handy that Jelastic can be installed as private cloud on premise, so our customers don’t need to get used to a new platform if they decide to move from public cloud.Appoint Data Protection Officer (DPO) Due to GDPR, public authorities have to appoint a Data Protection Officer (DPO). Basically, a DPO is required if your company manipulates and processes sensitive personal data (e.g. banks, credit companies, healthcare), but if you only have HR data it is not needed to have a dedicated DPO. It’s important to highlight that DPOs do not need to be members of the organization, so they can be hired outside as consultants. There is no specific list of DPO credentials, but within Article 37 it is stated that a data protection officer does require to have “expert knowledge of data protection law and practices.” The DPO expertise should align with the data processing operations of organization and the level of required data protection. If you’re hiring external DPOs, make sure they understand not only the data specifics but also the business they work for.Consider Country-Based SpecificsData transfers to any of the 28 EU member states are still allowed, as well as to Norway, Liechtenstein and Iceland. Transfers to such countries as Andorra, Argentina, Canada (for commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay, the European Commission (EC) deemed to have an “adequate” level of protection are also still possible. Outside of these areas, appropriate safeguards such as Binding Corporate Rules (BCRs) and standard contractual clauses (i.e., EU “Model Contracts”) should be used. EU-based data controllers should pay specific attention to new mechanisms under the GDPR when selecting or evaluating data processors outside the EU and ensure appropriate controls are in place. Outside of the EU, organizations processing personal data on EU residents should select the appropriate mechanism to ensure compliance with the GDPR.It is important to check all details due to specific country you have connections with:Germany: In comparison to other countries, not everything will change fundamentally in Germany when GDPR comes into force. The EU has recreated some of GDPR’s foundations from German law. This applies in particular to the previous principle of the “Prohibition with the Right of Permission”. Accordingly, all types of processing of personal information is forbidden until the legislator explicitly permits processing or the person concerned gives their explicit consent.The UK: Brexit planned for 29 March 2019 will make no difference. UK-based organizations will face a 10-month period of compliance enforced by the EU itself. However, the terms of the GDPR will pass into UK law unless the government specifically repeals it. Furthermore, the UK’s Information Commissioner’s Office took a lead in defining GDPR and, as it stands, supports its core principles. The UK government has that the new rules will come into effect before Britain leaves the EU.The USA: One of GDPR requirements is that the transfer must only happen to countries deemed as having adequate data protection laws. The US is not listed as one of such countries. To meet the requirements, a special agreement called Privacy Shield is designed. It creates a program whereby participating companies are deemed as having adequate protection, and therefore facilitates the transfer of information. Non-EU companies need to assign a representative from EU supervisory country. This is going to be a point of contact for all communications with the GDPR supervisory body. It might be reasonable to engage a Data Protection Officer (DPO) that has the required expertise. It is needed if data processing operations require systematic and regular tracking and processing of data subjects on a large scale. SummaryWe expect that GDPR will bring back part of the data to the EU. Data controllers will give preference to local data center providers in the courtiers where personal data is collected. And here Jelastic meets the needs of customers partnering with 25 service providers that have data centers in EU and well-conceived processes of data collecting. From the other hand, the majority of data controllers (i.e. website owners, mobile app developers, SaaS solutions) should improve both technical and legal aspects of personal data security within their companies to be compliant with GDPR and avoid fines.In cloud industry, we will notice increasing demand on migration services and bigger attention to lock-in issue as many companies will have to shift from untrusted public clouds that are not compliant to domestic data center providers or even to on premise private clouds. The demand on hybrid and multi-cloud will also grow. Find out more details how Jelastic can help you to meet GDPR requirements while hosting your projects in the cloud by contacting us via [email protected]