In April of 2016, the European Union (EU) adopted the General Data Protection Regulation (GDPR), a set of rules governing and protecting customer data. The EU then gave organizations a little more than two years to update their people, policies and systems to meet this new regulation. On May 25, 2018, GDPR will go into effect with promises of steep penalties for those who fail to comply with its mandates.
Our clients have been updating their data protection plans and looking to TierPoint for guidance, information and technical resources to ensure their organizations are meeting the new requirements. With the “go live” date rapidly approaching, interest in this topic has increased. To help you prepare, we are sharing answers to some of the more common questions we are getting from our clients.
Our responses are based on our business interpretation of GDPR regulations related to our services and will not cover all possible scenarios. Nor can we predict the way individual GDPR Data Protection Authorities and courts will interpret or enforce the regulation as time goes on. As always, TierPoint cannot provide legal advice and this article should not be considered legal advice. Any compliance initiatives should involve the on-going involvement of your legal counsel.
Q: My business is based in the United States. Do I need to comply with GDPR?
A: GDPR is not about where your business is located, but about the type of information you gather, store or process. GDPR is about protecting the privacy of citizens of the EU. So, even though your business isn’t located in any one of the EU member countries, GDPR will apply if you gather or process personal information belonging to a citizen of the EU. Where you store or process the information is irrelevant.
Q: What are the penalties for non-compliance?
A: There are two tiers of fines. The lower-level fines are for technical non-compliance, e.g., not meeting the breach notification timelines. Though these infractions are considered less severe, the fines are still stiff: the greater of 10 million Euros or 2% of global annual revenues. The higher-level fines are for noncompliance with specific directives that infringe directly on an EU citizen’s rights. For example, not providing the level of transparency into what data is being collected and how it is being used could result in fines up to 4 percent of annual global turnover or 20 million euros ($24.6 million), whichever is bigger.
What fines are levied and on whom, will end up becoming clearer as instances of non-compliance and breaches occur. Privacy advocates are already preparing to test the new regulations in court.
Q: Is GDPR a data security regulation?
A: That’s part of it. GDPR is designed to protect the privacy of EU citizens and give them greater control over how their personal data is used. Keeping personally identifiable information out of the hands of bad actors is only a part of that. The regulation introduces the “Privacy by Design” concept and defines EU-wide privacy rights that fundamentally change the ownership of personal data and responsibilities associated with personal data. As these regulations will fundamentally change how businesses gather, use, retain and dispose of EU personal data and the risks associated with that data, you should establish a GDPR compliance task force and involve heads of other departments, such as marketing and legal, rather than just addressing it as an IT issue.
Q: Does GDPR define personal data the way other regulations like PCI-DSS and HIPAA do?
A: GDPR defines personal data as “any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”.
The “directly or indirectly” language may end up catching a lot of companies unaware. Let’s say you’re gathering market information through a survey. If you’re not collecting any personal data such as names, email addresses or phone numbers, you may think you’re not covered by GDPR. However, if you have an IP address connected to that record (which many marketing surveys collect to ensure that responses aren’t duplicated), that data may be defined as personally identifiable data if you could use the IP address and other demographic data collected, such as employment and educational history, to identify a specific individual.
Also, HIPAA and PCI-DSS tend to be more focused on security of personally identifiable information such as Personal Health Information (PHI) or Cardholder Data (CD). GDPR goes beyond security to define privacy rights that that give EU citizens ownership of their personal data and includes the right to access and transparency of the data, allowing them to see what you have collected and what you are doing with their personal data. They also have the right at any time to object or withdraw their consent to gathering of personal data, update that information or have companies completely erase it. GDPR also requires companies to implement privacy by design when launching a new product or service. Privacy considerations must be addressed upfront in the design process, rather than an afterthought and includes minimizing the amount of data gathered and ensuring legitimate reasons to gather that data. If you do business with customers in the EU, you should consider evaluating whether you are meeting this requirement by conducting a Data Protection Impact Assessment (DPIA).
Q: Does GDPR require me to use a data center in one of the EU member countries?
A: No. Again, GDPR is less about where you store data than what data you gather, how you protect and use it. If your data is stored in a country that the European Commission has found to have adequate protection there is no need to move your data from that country. There is no need to scramble to move data to the EU if that doesn’t make sense for your business model; however, you should ask your current data center provider whether they are prepared for GDPR and, at minimum, have implemented adequate security controls and understand the different roles and their responsibilities established under the regulation.
The Data Controller is the entity that determines the purposes, conditions and means of processing the personal data. You decide what information to collect and what is done with it. The Data Controller may outsource some processing functions, such as data storage and transmission, to third parties known as Data Processors, but not their responsibility for the security of data and for monitoring entities that process the data. A Data Processor may also outsource some processing tasks or services to sub-processors, but again, not the responsibility for monitoring their sub-processors.
Under GDPR, TierPoint is defined as a Data Processor (or in some cases a sub-processor). TierPoint’s responsibilities as a Data Processor are defined in our contracts and are limited to the logical and physical security of data in accordance with the services outlined in service agreements between TierPoint and its customers. We are responsible for maintaining the data center and cloud infrastructure that our clients use to host and transmit personal data but do not have a business need to view, modify, manipulate, transmit, or otherwise use the personal data to deliver contracted services. TierPoint undergoes annual third-party audits, including SOC 2 Type II, PCI-DSS and HIPAA, that focus on the security and availability of our data center services system.
Through contractual obligations Data Controllers and Data Processors are responsible for meeting GDPR compliance, but that shared responsibility in no way absolves or lessens the responsibility of any of the parties. Each organization should conduct a DPIA and consider reviewing the Terms and Conditions and Data Protection Agreements (DPA) it has with its own Data Processors to confirm the terms for processing and protecting data are appropriate.
Q: How can I be sure my data center has adequate controls in place? Is there some sort of certification I should look for?
A: There is not a GDPR certification process for data centers, but one thing you should consider looking for in US data centers is EU-US Privacy Shield compliance and industry-recognized third-party audits related to security. As explained on the U.S. Department of Commerce website (Commerce.gov), Privacy Shield is a “framework designed by the U.S. Department of Commerce and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.”
With the GDPR deadline looming, it’s important for organizations to understand how they are impacted and take steps to ensure they have plans in place to meet the new standards. If you have more specific questions about this regulation, please feel free to reach out to us here. One of our compliance experts would be happy to provide TierPoint’s perspective.