New EU legislation, GDPR (General Data Protection Regulation) comes into effect on the 25th May 2018, and the countdown is on for businesses to be ready for when it goes live, or risk facing huge fines.
If you’re reading this article, you’ll know GDPR is the hot topic for discussion today for IT directors and compliance officers. Its introduction brings the biggest changes in the management and ownership of data seen in the last 20 years, with many debates over exactly what the new law will mean and how it will affect businesses.
What is clear is the significant change it brings to the relationships businesses have with their data processors, i.e. any third party suppliers your business uses for its business operations, who must now deliver on a new level of security in how they capture, store, process and manage data on your behalf.
The description below by the EU in Article 4 of Controller and Processor offers further clarity on the definition of the role of the processor:
In short, a data controller specifies how and why personal data is processed, while a processor conducts the actual processing of the data. The controller will, therefore, be legally responsible for ensuring their processor abides by data protection law.
The role of processors includes managed services providers, and in a recent GDPR report by IT Europa provides useful guidance on the changes in the way your business should start to plan on how to work with them.
For example, new clauses to be factored in your contracts should include:
- Appropriate security measures
- Act only on controller instructions
- Controller control over sub-contracting (sub-processing)
- Notification of data breaches and assistance responding to them
- Audit rights
- Assistance responding to data subjects exercising their rights.
- Deletion/return of personal data on termination
The onus is on you, and your business to ensure your managed service partners have the right processes and systems in place to achieve the extra level of data security awareness required for GDPR compliancy. Or, are at the very least actively reviewing how to achieve them.
This is no small task for your business to track, audit and ensure every supplier and partner does not become a potential point of failure towards your business becoming GDPR compliant.
What ‘Trust with Verification’ means
At the moment you put your trust in their professional services, but ‘trust with verification’ brings a new level of additional peace of mind for you.
Digital Craftsmen, a specialist managed cloud services provider has attained the international ISO27001 certification, which means they have been independently audited for their security processes and systems, and are verified to be best in practice. This ‘trust with verification’, brings you one step closer towards successfully achieving GDPR compliancy, and securing your peace of mind.
If you’ve not started preparing for GDPR compliancy yet, we can recommend the following seven steps by the Cloud Industry Forum which offer a good starting point to get you started:
- Know where your cloud services are holding data. GDPR requires controllers and processors know where personal data is located for storage and processing. List all the cloud services in use across your business, and audit to identify where your data is being hosted.
- Increase security to protect personal data. GDPR is designed to protect personal data from loss, alteration, or unauthorised processing. This requires you to know which cloud services meet your security standards, and increase security controls for the cloud services that don’t. To help with understanding the different levels of security and what it means, Digital Craftsmen has developed a useful guide for you to download: The Security Mindset.
- Secure a ‘Data Processing agreement’ with your cloud service providers. Prepare a new contract agreement with service providers to deliver on the data privacy protection requirements outlined in the GDPR guidance. Ensure you have certified and verified proof from them they have GDPR compliant processes and systems in place to manage your data.
- Only hold ‘necessary’ data. Specify in your data processing agreement, that only the personal data required to perform the service’s function are collected by your users or organisation.
- Hold a limited amount of ‘special’ data. Put in place limits on the collection of ‘special’ data, which are defined as those revealing things like race, ethnicity, political conviction, religion, and more.
- Don’t allow cloud services to use personal data for other purposes. Make sure your data processing agreement clearly states the customer (i.e. you) has full ownership of the data which will not be shared with any other third parties.
- Always erase the data held by the cloud service company, when you stop using the cloud service. Make sure the service terms state a customer can download their own data, and the cloud service company will delete their data once you’ve stopped using their service.