GDPR and what it will mean for companies outside the EU
Mon 25 Jun 2018 | Michael Mudd
The European Union (EU), via the EU Commission, has enacted two key regulations relating to Data processing; the General Data Protection Regulation (GDPR) and the Network and Information Security Directive (NISD). While both came into force in April 2016, the NISD will be enforced from May 10th 2018. The GDPR, which will effectively replace the old Data Protection Directive will be enforced from May 25th, 2018. Here I will briefly summarize a few of the 99 articles of the GDPR (and its 173 recitals…) that may affect owners and operators of data centres outside the EU.
The intention of the GDPR is to promote individuals’ empowerment over uses of their personal data. Broadly this means is that any company that solicits, targets, collects, stores, processes data as well as obtaining consent, making data anonymous, reporting data breaches or transferring data across borders on any citizen or resident of the EU, will need to have governance policies in place for GDPR compliance. Despite the ‘Brexit’ filing, the UK has publicly stated they will adopt the GDPR in full.
As it covers the data of any individual based in the EU, regardless of citizenship or where the data is being held, companies that process data outside the EU may expect additional demands from their customers that they are taking measures that will minimize their exposure to infringing the GDPR.
What does this mean for the companies such as banks or insurers that operate a data centre (DC) outside the EU? Plenty is the short answer, regardless of your organization’s location, if you collect personal information on EU residents, you’ll need to protect it or face heavy fines. The GDPR applies to the processing of personal data by a controller or a processor in the EU Union, regardless of whether the processing takes place in the Union or not. There are two key definitions of relevance; one of controller – who determines the purpose and means of the processing of personal data, and the processor – the entity that store, transmits or applies a computational process to the data on behalf of the controller.
DC owners would fall primarily under the latter unless they are on-premise or captive DCs, in which case they may be both. For the purposes of this article I will only address the Processor, this would also cover Cloud Service Providers (CSP’s). For example, IBM announced increased security measures in their German Cloud data centre whereby access to customer data in Frankfurt will be controlled by EU-based IBM employees only.
Article 28 outlines the responsibilities of a processor, with ten paragraphs that also refers extensively to other articles, but the opening paragraph defines the relationship;’ Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.’
In particular the GDPR mandates that ‘In order to maintain security the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption’…‘consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage’. (Recital 83). This is also covered within the NISD.
Similarly ‘…the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services…’. (Recital 23).
Article 15 ensures that an EU citizen or resident may request the right of access to data held by a controller, including the return of all data held, or under article 20, direct the entity holding the data to move it to another entity. This is rather like cellphone number portability, presumably in theory at least, increasing competition. Article 80 allows individuals to instruct a not-for-profit organization or association to bring actions on their behalf; this may include class action lawsuits.
Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to article 46 relating to the transfer. The GDPR also has provision for the right of erasure (‘the right to be forgotten’) under article 17, subject to certain conditions. Processes have to be in place to ensure compliance if a DC owner/operator has such data.
This will mean that a DC owner/operator has to ensure that data can be blocked from access if there is an order issued, plus to have a process in place to move data as requested by the controller, down to the individual record level and erasing all back up copies. Email also has to be treated more carefully. In September 2017 the European Court of Human Rights ruled that companies must inform employees in advance if their work email accounts are going to be monitored as monitoring must not infringe upon workers’ privacy. The GDPR also applies to employee privacy and data handling within the EU, and by extension the email chain which may well be global.
The EU regulation will also mandate that many large organisations appoint a Data Protection Officer (DPO) to have an overall view of where data is located and set controlled parameters on who has access to it. The DPO will have to work DC Operators and processors to ensure compliance to monitor and control data movement across the company and its use. If either the processor or controller does not have any office in the EU, they may need to appoint a representative (article 27) to receive notices.
This means that a full data governance and data loss strategy will be demanded by customers who hold data subject to the GDPR who contract with DC owners and operators. A recent ISOC workshop in Hong Kong for example indicated that companies that hold or process data there had already received questionnaires from Europe that are asking if they are GDPR compliant.
The board of directors of a company that handled data has a fiduciary duty to ensure that shareholders are protected, no matter where data is stored or processed. A data controller cannot outsource their responsibility under GDPR, but they can certainly seek legal redress if the processor fails to take adequate steps to protect their data. Companies that have a DC outside the EU and that have business in Europe, need to take steps now to re-architect their data provisioning and security to have any chance of compliance as there are now less than 3 months left to get the controls in place to avoid severe penalties.
In summary, all companies that handle EU data need to revisit all their policies and processes now to ensure they are GDPR compliant.