My business is not based in the EU – to what extent does the GDPR apply to me?

The GDPR is not sector-specific and applies globally to organisations of all types and sizes that collect, store or process personal data of EU individuals.

If your business is based in the EU you are subject to the GDPR.

If your business is based outside the EU it is subject to the GDPR if it either:

1. Offers goods or services to EU data subjects
2. Monitors the behaviour of EU data subjects

What’s included under the “personal data” umbrella?

According to the definition under Article 4 (1) “personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

I run a private data centre – am I a data controller or a processor under the GDPR?

Let’s start with the definitions first. Each time an entity will process personal data it will either wear the hat of a controller or a processor.

In summary:

• “Controllers” are entities that exercise control over the processing of personal data and determine which data to collect. All organisations are likely to process at least some personal data as data controllers (even if only in relation to their own employees)
• “Processors” are entities which process personal data on behalf of the controller e.g. outsourced service providers

These 2 roles come with different responsibilities and it is very important that you understand the legal obligations that apply to each role.

In answer to the question, if you’re running a data centre you are likely to be both: a controller in relation to the personal data of your employees if they are EU individuals and a processor for your customers who are storing personal data of EU individuals in your data centre.

Preparing for the GDPR – where do I start?

Below are the first three steps which are crucial for every organisation:

1. Data Inventory: Identifying what data you hold is a key first step. Start assessing your existing database by documenting what type of personal data does your organisation process and by mapping data input and output sources.
2. Classify, classify, classify A well-planned data classification system makes essential data easy to find and retrieve. Make sure you differentiate between personal data and sensitive data (e.g. personal data concerning health, genetic and biometric data, data revealing racial or ethnic origin, etc. – see Article 9).
3. Data cleanse and Future-proofing all personal data which is stored and used by your organisation needs to be cleansed & de-duplicated. GDPR is strengthening data subject rights so anyone requesting their personal data file must receive it within 30 days & free of charge.

Decide what processes you need to update or implement: e.g. handling information requests, deletion of data, data portability, security frameworks, etc.

My organisation is using a combination of Google Suite and Microsoft Office 365 and all our data records are stored in the cloud. If they are compliant am I still responsible for securing my data?

Both Google and Microsoft have announced that are committed to ensuring compliance of their services with GDPR and that they will be rolling out contractual amendments in advance of May 2018, when GDPR kicks in. However, by just moving all personal data to these cloud services it doesn’t mean that you’re compliant and you still need to fulfil the responsibilities of your role as a data controller (your organisation’s settings for the service, who do you give access to). It’s important to remember that compliance remains a shared responsibility.

The GDPR will push every organisation that handles personal data of EU subjects to become more robust in their ability to demonstrate that they can protect the privacy of the data and bring their privacy policies and programmes to a new standard of security.

How can 10Duke help?

Our 10Duke Identity Provider and Entitlement Service can help you achieve compliance by ensuring that all user access to data is logged and an audit trail can be provided when required. Also, the users’ personal data that is held by the Identity Provider can easily be exposed to the end user so that they can control, via self-serve, what data is stored and to which services/partners it is shared. If you’re interested in learning more, please contact us via our website