1. GDPR Overview:
Protection of Personal data is an integral part of the EU Charter Fundamental rights. Article 8 states that,
“Personal data should be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.”
And this includes the right to be forgotten.
GDPR determines how firms must process, protect and notify users regarding their personal data for anyone living in the European Union. This includes all aspects of collecting, storing, transferring or using that data.
An important note is, as we saw in the definition above, “personal data” as defined by GDPR is broad, and potentially includes identifiers such as email address and even an IP address!
The GDPR increases the enforcement of the regulations as well as the cost of the fines associated with non-compliance or breaches. Firms must comply with greatly increased obligations for how they handle and protect data.
2. Expanding the Rights of Individuals
The new GDPR expands the rights of individuals in the European Union by providing them the right to request copies of any personal information about them stored by that firm. In addition, individuals in the EU have the right to have their personal information removed. This is commonly known as the “right to be forgotten.”
For firms in the MSP and Hosting business, this means it’s critical to keep accurate records and backups/archives of all end-user personal data for any user located in the EU. It also means these firms must be able to quickly identify users’ personal data, provide accurate records of the data, and if necessary delete the data.
3. Increasing Compliance Obligations
In addition to the expanded rights of individuals, the GDPR also mandates that firms have policies and procedures in place to ensure the security of that data. Further, firms must conduct privacy impact assessments to validate that security and privacy are being maintained.
The regulations also require firms to be able to provide detailed records on any data activities associated with the EU users.
For Hosting and MSP firms, this places unavoidable burden in creating policies and processes to ensure data security and integrity. Technical safeguards such as encryption, end-point security and pseudonymization would need to be implemented.
GDPR also places additional burdens on ensuring that vendors of these firms are also compliant.
4. Required Notification of Data Breach and Security
Under the GDPR firms must report some types of data breaches to authorities of data protection. And in some special circumstances, firms must report these data breaches to the users impacted by the breach.
Firms must also comply with more stringent security requirements to help enforce tighter controls over access and use of personal data.
The burden on firms, including Hosting firms and MSPs is clear:
- They must know when the breach occurred
- They must be able to identify exactly what information may have been accessed, edited or deleted
- They must take appropriate and quick action to notify data protection authorities and in some cases the affected individuals
5. Requirements for Profiling and Monitoring Behavior
For firms that profile or engage in monitoring behavior of EU users, there are added requirements for how that profiling and monitoring is to occur. How much this impacts each firm is subject to how much monitoring or profiling occurs.
Making it more difficult for firms is the fact that these types of profiling and monitoring activities can change over time.
For Hosting and MSP firms, any activity associated with profiling or monitoring behavior of EU users will require compliance with these new requirements. Being able to assess the types of profiling and monitoring that may already be happening, or may start happening at some later point in time will be an important element of any firm dealing with user data.
6. Appointment of a Data Privacy Officer May Be Required
Under the GDPR there is an obligation for some organizations to appoint a data protection officer (DPO), especially if a firm is performing large scale systematic monitoring of individuals (for example, online behaviour tracking).
However, we believe that appointing a DPO is best practice even if your firm is not obligated to appoint one.
The €20 Million (or more) Fine
How serious are these new regulations?
Try €20 Million or more serious!
The teeth to these regulations are the penalties that can be the greater of 20 Million Euros or four percent of a company’s annual global revenue. That’s not EU revenue, that’s global revenue!
This amount will vary depending on how bad the breach and resulting damages are. Still, it’s a large enough number that anyone managing a firm, especially firms with tight margins like Hosting companies or MSPs should be paying attention.
Not in the EU? You Still Need to Pay Attention
Even if your firm is not located in the EU, these regulations may still apply to you.
If you have users who live in the EU who are have their personal information in your systems, then you will need to comply. The GDPR regulations apply to firms inside or outside the EU as long as they are storing or tracking personal data for EU individuals.
And in addition to addressing their own GDPR compliance, Web Hosters and MSPs should support their customers in the same endeavor.