Your GDPR Questions Answered

software users
Project-based Licensing – Collaboration Made Easier
22nd November 2016
Tablet and EU Padlock with Yellow Stars
The Real Cost of GDPR: Christmas will have to be cancelled
6th March 2018
Show all

Your GDPR Questions Answered


With the deadline of May 25th, 2018 looming, organisations are hustling to become compliant with the EU's General Data Protection Regulation (GDPR).

This article provides practical tips/guidance on how to prepare your business for GDPR:

My business is not based in the EU - to what extent does the GDPR apply to me?

The GDPR is not sector-specific and applies globally to organisations of all types and sizes that collect, store or process personal data of EU individuals.

If your business is based in the EU you are subject to the GDPR.

If your business is based outside the EU it is subject to the GDPR if it either:

  1. Offers goods or services to EU data subjects
  2. Monitors the behaviour of EU data subjects

What's included under the "personal data" umbrella?

According to the definition under Article 4 (1) "personal data" means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.


I run a private data centre - am I a data controller or a processor under the GDPR?

Let's start with the definitions first. Each time an entity will process personal data it will either wear the hat of a controller or a processor.

In summary:

  • "Controllers" are entities that exercise control over the processing of personal data and determine which data to collect. All organisations are likely to process at least some personal data as data controllers (even if only in relation to their own employees)
  • "Processors" are entities which process personal data on behalf of the controller e.g. outsourced service providers

These 2 roles come with different responsibilities and it is very important that you understand the legal obligations that apply to each role.

In answer to the question, if you're running a data centre you are likely to be both: a controller in relation to the personal data of your employees if they are EU individuals and a processor for your customers who are storing personal data of EU individuals in your data centre.


Preparing for the GDPR - where do I start?

Below are the first three steps which are crucial for every organisation:

  1. Data Inventory: Identifying what data you hold is a key first step. Start assessing your existing database by documenting what type of personal data does your organisation process and by mapping data input and output sources.
  2. Classify, classify, classify A well-planned data classification system makes essential data easy to find and retrieve. Make sure you differentiate between personal data and sensitive data (e.g. personal data concerning health, genetic and biometric data, data revealing racial or ethnic origin, etc. - see Article 9).
  3. Data cleanse and Future-proofing all personal data which is stored and used by your organisation needs to be cleansed & de-duplicated. GDPR is strengthening data subject rights so anyone requesting their personal data file must receive it within 30 days & free of charge.

Decide what processes you need to update or implement: e.g. handling information requests, deletion of data, data portability, security frameworks, etc.


My organisation is using a combination of Google Suite and Microsoft Office 365 and all our data records are stored in the cloud. If they are compliant am I still responsible for securing my data?

Both Google and Microsoft have announced that are committed to ensuring compliance of their services with GDPR and that they will be rolling out contractual amendments in advance of May 2018, when GDPR kicks in. However, by just moving all personal data to these cloud services it doesn't mean that you're compliant and you still need to fulfil the responsibilities of your role as a data controller (your organisation's settings for the service, who do you give access to). It's important to remember that compliance remains a shared responsibility.

The GDPR will push every organisation that handles personal data of EU subjects to become more robust in their ability to demonstrate that they can protect the privacy of the data and bring their privacy policies and programmes to a new standard of security.


How can 10Duke help?

10Duke Enterprise can help you achieve compliance by ensuring that all user access to data is logged and an audit trail can be provided when required. Also, the users' personal data that is held by the Identity Provider can easily be exposed to the end user so that they can control, via self-serve, what data is stored and to which services/partners it is shared. If you're interested in learning more, please contact us via our website.

18th July 2024

Choosing the Right Software Licensing Solution if You’re Using FastSpring

8th July 2024

Key Consideration for Software Licensing Solutions: Salesforce

28th June 2024

Simplify Software Licensing Integration with Licensing SDKs

24th June 2024

Password Management For Software Licensing Migrations

Learn best practices for migrating user profiles, enforcing mandatory password resets, and securely handling existing password hashes.    
6th June 2024

Offline Licensing: A Guide for Software Vendors

Discover offline licensing for air-gapped systems, using JWTs and removable media.    
28th February 2024
login-based licensing

Login-Based Licensing: Flexible & User-friendly Approach to Software Licensing

Login-based licensing means to license and control access to software based on user login credentials, simplifying product access.    
9th January 2024
benefits of multi-factor authentication

Why Implement Multi-Factor Authentication (MFA)? A Key to Enhanced Digital Security

Multi Factor Authentication (MFA) involves two or more methods of authentication in order for an individual user to be given access to a system.    
10th May 2023

5 Reasons Why Web Applications Need a Software Licensing Engine

Dedicated licensing engine provides significant value and helps overcome complexity. In this blog we explain the complexity and how to solve it.
7th October 2022
Centralised Licence Management

How Centralized Software License Management Will Increase Your Revenue

License management is typically looked at simply as a cost of doing business. When done correctly, license management can be an engine of revenue growth, removing […]

With the deadline of May 25th, 2018 looming, organisations are hustling to become compliant with the EU’s General Data Protection Regulation (GDPR). This article provides practical tips/guidance on how to prepare your business for GDPR.