On May 25, the European Union’s General Data Protection Regulation (GDPR) will come into force. The impact of these regulations will be significant for businesses in the EU, and beyond, that handle and manage personal data. Designed to enable EU residents to better control their personal data with one single set of rules regardless of where that data is collected, the GDPR represents a significant advance in privacy protections and the mechanisms for ensuring their effectiveness. Many companies are questioning what these rules mean for them and for their hosting providers. Read on to learn what we’re doing, what you need to do, and how we can help.
What GDPR Means For You and Your Business
It is important to note that if you are a GT.net customer that collects personal data relating to EU residents, the GDPR classifies you as a data controller.
Here is a brief overview of the key responsibilities of a data controller (as detailed in the regulation itself):
- Organizations that regularly process sensitive personal information on a large scale must appoint a data protection officer (DPO).
- Controllers are required to conduct privacy impact assessments (PIAs) to assess privacy risks when processing highly sensitive data and must also maintain records of processing activities.
- Consent to process personal data must be freely given by the data subject, be clear and distinguishable from other matters, and provided in an intelligible and easily accessible form, using clear and plain language.
- Data breaches that are likely to harm individuals must be reported to the relevant member state Data Protection Authority within 72 hours of the data controller first having become aware of the breach.
- Additional responsibilities include data portability (e.g., assisting individuals in the transfer of their data from one data controller to another upon request); erasing personal data without undue delay if an individual objects to processing; and making personal data accessible to data subjects as requested.
GT.net’s Role as a Data Processor
As a hosting provider, GT.net is considered a data processor under the GDPR. Our clients are required to ensure that GT has the appropriate security controls in place to protect personal data.
For the most part, these regulations are not unfamiliar to organizations like GT.net, which have been required to comply with similar Canadian private sector privacy laws since 2004. However, we take the new GDPR responsibilities very seriously, and want to make this process as easy as possible for the businesses we serve. To that end, we have been proactive in taking the necessary steps to ensure that we meet all of the Service Organization Controls (SOC2) Trust Service Principles including security, availability, confidentiality, privacy and data processing . (Please note: GT’s current SOC2 Report can be made available to you upon request; our upcoming one will be available in May of 2018.)
We have also taken other critical steps to meet our obligations as a data processor under the GDPR and to ensure we can assist data controllers in meeting their GDPR responsibilities as well, including:
- Entering into written agreements with our clients, as required by the GDPR, that stipulate privacy protective provisions and an overall duty of confidentiality respecting the data we hold
- Complying with our clients’ instructions in order to assist them in fulfilling a data subject’s rights under the GDPR
- Developing procedures to notify the data controller of any data breach that is a result of GT’s data processing activities
- Appointing a DPO and cooperating with European data protection authorities as necessary in the context of an investigation
Organizations operating both within and outside of the EU will be exposed to significant financial liability for non-compliance with the GDPR. It is important to consider very closely its requirements, including its extra-territorial reach. Organizations that are found to have violated legal rights and obligations under the GDPR can find themselves subject to significant sanctions, including fines up to the greater of €20,000,000 or 4% of the organization’s annual revenue.
GT.net has always had a strong commitment to privacy and data security. Given these impending regulations, we have also reviewed our practices and procedures – both substantive and procedural – and made the necessary adjustments to meet these compliance responsibilities. As always, you can trust GT.net with your data, whether or not it involves the personal data of EU residents.
For more information on our privacy and data security practices or what the GDPR means to you and your operations, please don’t hesitate to contact us.