The GDPR is not sector-specific and applies globally to organisations of all types and sizes that collect, store or process personal data of EU individuals.
If your business is based in the EU you are subject to the GDPR.
If your business is based outside the EU it is subject to the GDPR if it either:
According to the definition under Article 4 (1) “personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Let’s start with the definitions first. Each time an entity will process personal data it will either wear the hat of a controller or a processor.
These 2 roles come with different responsibilities and it is very important that you understand the legal obligations that apply to each role.
In answer to the question, if you’re running a data centre you are likely to be both: a controller in relation to the personal data of your employees if they are EU individuals and a processor for your customers who are storing personal data of EU individuals in your data centre.
Below are the first three steps which are crucial for every organisation:
Decide what processes you need to update or implement: e.g. handling information requests, deletion of data, data portability, security frameworks, etc.
Both Google and Microsoft have announced that are committed to ensuring compliance of their services with GDPR and that they will be rolling out contractual amendments in advance of May 2018, when GDPR kicks in. However, by just moving all personal data to these cloud services it doesn’t mean that you’re compliant and you still need to fulfil the responsibilities of your role as a data controller (your organisation’s settings for the service, who do you give access to). It’s important to remember that compliance remains a shared responsibility.
The GDPR will push every organisation that handles personal data of EU subjects to become more robust in their ability to demonstrate that they can protect the privacy of the data and bring their privacy policies and programmes to a new standard of security.
Our 10Duke Identity Provider and Entitlement Service can help you achieve compliance by ensuring that all user access to data is logged and an audit trail can be provided when required. Also, the users’ personal data that is held by the Identity Provider can easily be exposed to the end user so that they can control, via self-serve, what data is stored and to which services/partners it is shared. If you’re interested in learning more, please contact us via our website