What is the General Data Protection Regulation (GDPR)?
The GDPR is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
GDPR is superseding the EU Data Protection Directive from 1995, the regulation contains provisions and requirements pertaining to the processing of personally identifiable information of individuals inside the EU, and applies to all enterprises, regardless of location, that are doing business with the EEA. Business processes that handle personal data must be secured and use the highest-possible privacy settings by default, so that the data is not available publicly without explicit consent, and cannot be used to identify a subject without additional information stored separately. No personal data may be processed unless it is done under a lawful basis specified by the regulation, or if the data controller or processor has received explicit, opt-in consent from the data subject. The data subject has the right to revoke this permission at any time.
At BigScoots we’ve seen an increasing amount of clients contact us with questions on GDPR. Rightfully so, many are confused about their own requirements as well as how BigScoots fits in.
At our core BigScoots has always believed in treating our clients data in an ethical way we’d want our own data to be treated! As such, we’ve never resold information, always worked towards a very high level of security when dealing with sensitive data and while we’ve never had a breach of any sort, had protocols in place to properly notify and resolve issues in the event of such a disaster.
BigScoots does not have any formal corporate ties to the EU or EEA, however we are seen as a data processor in the eyes of GDPR compliance for many of our EU clients. For this reason we are working towards making our client’s lives easier by complying with GDPR stipulations.
Through the eyes of GDPR we are seen as a data processor for our EU clients, therefore we will be constantly working towards addressing EU data protection requirements applicable to data processors. These include:
Data processing: This refers to the requirements as laid out in article 28 of the regulation where you as the data controller, have selected BigScoots as your data processor. You are using a third-party, in this case BigScoots to process at least some of the personal data you are collecting from your own clients (visitors). Because of this requirement we have reassessed our current privacy and data protection policies and decided to take the additional step of registering with Privacy Shield.
The EU-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce. The European Commission deemed the EU-U.S. Privacy Shield Framework adequate to enable data transfers under EU law.
A bit more on Privacy Shield:
- Privacy Shield will serve as a data transfer mechanism under the EU General Data Protection Regulation (GDPR).
- The Privacy Shield was also designed with an eye to the GDPR, addressing both substantive and procedural elements.
- The Privacy Shield includes an annual review, which was designed to address the GDPR’s requirement for a mechanism for a periodic review, at least once every four years, of relevant developments.
- Privacy Shield is a mechanism that enables participating companies to meet the EU requirements for transferring personal data to third countries, discussed in Chapter V of the GDPR.
- BigScoots has elected the EU data protection authorities (DPAs) to serve as our independent recourse mechanism for data transferred from the EU.
Data sharing: The data our customers store with BigScoots has always been and will remain 100% theirs, except for services otherwise agreed to such as domain registrations where we are required to pass along information to ICANN as well as to other third parties associated with SSL or CDN services.
Third-party audits and certifications: BigScoots operates under a SOC2 and SSAE16 audited data center demonstrating our commitment to information security best practices. This provides independent and expert verification that information security on our network is managed in line with international best practices and business objectives.
What do you need to do?
First, as a data controller it is your job to understand your role in the transmission of sensitive data. You should familiarize yourself with the provisions of the new GDPR regulation. Understand how the new regulations may differ from your current data protection obligations and consider any changes to working practices that may need to be implemented.
Second, audit the information you hold and the processes that capture such data. Review your current controls and processes to ensure that they’re adequate, and build a plan to address any gaps. Consider creating an updated and precise inventory of personal information that you control.
Third, stay informed. Keep up to date on regulatory guidance as it becomes available and consider consulting a legal expert to obtain guidance applicable to you. It is advised to take in the information provided on the Information Commissioner’s website, the UK representative within the EU working group.
Finally, take a step back, take a breath and consider how GDPR is meant to impact you personally. The idea behind GDPR is to regulate big businesses from misusing information and to return control over an individual’s private data back to the individual. Your compliance in most cases is self reported, but do not take the privilege lightly. Even as a non-EU or EEA business, website or citizen, dealing with any EU or EEA presence will mean your own compliance is an asset to complying businesses. It also offers up a commitment to your clients that you value their privacy and will treat their information with respect.
In our view GDPR is an opportunity for complying businesses to demonstrate their efforts towards a more secure internet. BigScoots supports what the GDPR stands for and this is our formal commitment to continue to treat our clients and our client’s data with the utmost respect.