The General Data Protection Regulation (GDPR), also known as the General Data Protection Regulation, deals with the safe storage of data relating to personal data. The law has been passed for the protection of private data. By private data we mean all data that can be linked to an individual, such as name, email address, IP address, bank card details, passwords, copy of proof of identity, financial data, medical and social data. Through this new legislation, the EU aims primarily to give citizens back control over their personal data. It is therefore important that your infrastructure is built in such a way that the leakage or loss of data (which is also seen as a data breach) is prevented. You must be able to demonstrate that you have done everything within reasonable limits to prevent data loss.
GDPR in brief:
- Protection of European citizens’ personal data
- Measures against hackers, data loss and data breaches
- Procedure for data collection and storage of personal data
- Requesting permission to gather and use data
- Individuals have the right ‘to be forgotten’
- Increased safety measures are needed
- You must be able to report a data breach within 72 hours
- The National Authorities may apply fines
- In large organisations, a DPO (Data Protection Officer) must be appointed
- Data may not be stored without reason. You must not keep more data than is absolutely necessary
GDPR and assumptions
My supplier is major/well-known/market leader, so can I assume everything is in order?
Who does the GDPR apply to?
It applies to all the companies that:
- Are based in the EU
- Based outside the EU, but supply goods and/or services to EU citizens
- Collect personal data and/or monitor the behaviour of EU citizens
When are you allowed to store data of a data subject?
- If you have the consent of the data subject
- It is of vital importance = Life or death
- To comply with your legal obligations
- It has been explicitly agreed
- Legitimate interest. Commercial objectives are not a legitimate interest!
Assumptions, privacy and security
Assumptions, I’ve heard something about them. If you are held liable for data loss, using ‘My supplier is a major/well-known/market leader, so I may assume everything is in order’ as a defence won’t do you much good. What’s more, it won’t stand up at all. Unfortunately, there are a lot of assumption in ICT. We assume that administrators act in good faith, even though many cloud providers themselves have no idea who can access the network. We assume it’s secure because we have a good ICT supplier. We assume the encryption is enabled by default whereas the opposite is the case. The problem, of course, is that security can be a hindrance and you are probably in no position to judge whether it’s secure. But blindly believing a supplier without probing is not the way to go. ‘They said that’ is a poor defense. It’s for this reason that we have simply published our way of working online. After all the way in which we do our job properly shouldn’t be a secret. You can read the whole thing at https://www.tuxis.nl/policies
You save personal data too
You’re probably gathering data right now. Think about the forms on your website, visitors registering for an event or a web shop that stores address details. Your email might also contain personal data. Files as well as your bookkeeping often contain personal data. Even the address book on your mobile phone is covered by this legislation. It is therefore important that ALL communications are encrypted and data is kept secure. Assume that all data is valuable and in principle may NOT be stored.
Standard at Tuxis: ‘Privacy by design’
The GDPR legislation emphasises the fact that the architecture and design of information systems must give meaning to the concept of ‘privacy by design’. This means that not only must the security and privacy of information be designed with this in mind, the management processes and procedures must too. Consequently, it will have a serious impact on every stage of the lifecycle of information systems that contain privacy-sensitive information. This is also one of the biggest problems organisations tend to struggle with. Their information infrastructure is generally developed and designed without taking this issue into account. It’s never too late to go through your design with us. Then we can examine together where we see problems and would therefore do things differently.
The different parties in GDPR
- Data subject
This is the owner of the data. The data subject’s personal data that must be protected.
The party who determines what is kept and how it is used. In our case, that’s you.
The party who may have access to the data or who stores the data. That’s the role we fill for our customers.
Danger: Jointly liable party
There may be a liable party you don’t know about. Anyone who determines what is stored and what is done with the data is liable. So if you think your supplier is not using your data but they are, then they are jointly liable. For example, a service provider who supplies a word processor, email solution, website statistics or file storage service, and scans the data for advertisements or statistics is also liable. Regardless of whether they share the actual data or have informed you, they have become jointly liable. You and your supplier are both liable in such a case. This means that the data processing agreement you received from that supplier is no longer valid. You cannot be a processor and liable for a single service. If data is leaked, the Personal Data Authority may itself determine which party is liable and may impose a fine. They will choose the easiest target, and it won’t be the giant supplier. The above is of course a major risk inherent in the public cloud. If a supplier scans the data so they can announce somewhere that they store 60,000,000 addresses, then this is reason enough to be considered a processor.
Perhaps you can understand why we have always been in favour of a private cloud while we also provide public cloud services. We do not scan or collect your data in our public cloud services and therefore remain a processor. Our earnings model is therefore not based on the gathering of data (See Danger: Jointly liable party). The security of a private cloud is much simpler because there are far fewer assumptions to be made on your part and it is therefore in line with the ‘privacy by design’ principle. It is usually more economical than the public cloud too. In other words win/win. What we can arrange for you in the cloud:
- Network security
- Infrastructure security
- Storage & Backup
- Data encryption
- Physical security of the data centre
The documentation below is relevant to you.
- General terms and conditions We are the processor because we store data for you. The data processing agreement is included in the appendix to our general terms and conditions.
- Sensible use policy The types of data you can store in the product concerned is set out here. It also contains information on how we ensure the data is safe.
- General policies The policies according to which we work.
Feel free to contact us if you are unsure whether the services you are currently paying for meet your data security requirements.