GDPR, the new European regulation about privacy will be in effect starting May 25th 2018. But what does this new European law mean for you as a customer of Nucleus? We listed the most important things below.
4 general things you should know about GDPR
GDPR is short for General Data Protection Regulation. The new regulation ensures a stricter protection of privacy. What do you need to know about that?
- Collecting data is regulated more strictly. For instance, the rules about explicit consent are much stricter. Also, every person has the right to see their data or have it removed.
- The concept of “personal data” is expanded with a number of extra data types. Personal data is described as all data that can be used to identify a person. That means that for example a license plate, consumer behaviour or an IP-address, now also constitutes “personal data”.
- The law applies to all businesses and organisations within the EU, regardless of their size or location. If data belonging to EU citizens is processed by companies outside of the EU, then GDPR also applies to them.
- The law provides for high fines when the collected data is not managed correctly, when a data leak is not reported, or when the company doesn’t perform risk audits. Fines can run up to 4 percent of the revenue, with a maximum of 20 million euro.
3 roles you have to know within GDPR
The GDPR rules are quite complex. Especially because as a company or organisation you sometimes end up in different roles. A brief explanation.
- Data subject: this is the person whose personal data is processed.
- Data controller: this is the one who collects the data. When you collect the name, address, payment details, etc. of your customers, you are the data controller.
- Data processor: this is the one who stores or processes your data, as determined by the data controller. When you, as a customer of Nucleus, ask to make a backup of your customer data, Nucleus becomes the data processor.
Now that you know all this, we can take a look at what you need to do to comply with the GDPR-rules and what Nucleus will take care of.
What do you have to do for your own company or organisation?
As company or organisation, you of course need to make sure you’re completely compliant to the GDPR regulations. In this case you are in the role of data controller. That means, ao:
- that you have to make sure that processing personal data is permitted (by following the regulations)
- that you have to make sure all your data is sufficiently protected
- that every violation of your security (a.k.a. a data breach) that involves personal data is reported to the authorities (in Belgium that’s the privacy commission) within 72 hours. In case of a data leak with “high risk”, you also need to inform the data subjects involved.
To know all the rules, it is best to take a look at the website of the privacy commission.
What do you have to do as a Nucleus customer?
As Nucleus customer, you have to let us know what type of data you store with us (not the content, just the type of data) and indicate how we process it (read: hosting, back-ups, replication, etc.).
You can do that by filling out the online data registry we will be offering to you soon (more information will follow in your mailbox). The data registry is an overview of the type of personal data you process, where it comes from and who it is shared with. That registry has to provide an accurate overview at all times. Should a data leak ever occur, that registry will serve as proof that the rules are followed.
Besides that, we will also add the GDPR regulations to our existing contract. With this new document, everything will be recorded contractually.
What does Nucleus do?
Nucleus has a double role: that of the data processor (for your customer’s data that you place with us) and that of data controller (for your personal data as customer of Nucleus).
As data processor, we take care of the data you have collected as data controller. In that role we make sure that
- it is clear who bears legal responsibility. On infrastructure we manage for you (managed hosting), we are, on infrastructure in our datacenter that belongs to you (colocation), it is still you.
- every employee is perfectly aware of all things GDPR
- your data has maximum security (thanks to our ISO 27001-certificate for data security)
- we keep logs of data processing we perform on your data
- we report a possible violation of the protections on infrastructure managed by us, as soon as possible
- we follow up closely which efforts our suppliers and partners make to become GDPR compliant.
- you receive secured access to your data or we provide you with a copy of it; should you, as customer, choose a different data processor
As data controller, we manage your own personal information (as Nucleus customer). We make sure that we are completely GDPR compliant as well. That means that you have a number of rights as data subject.
- You can get access to all your data and change it if necessary.
- At all times you can change your communication preferences or withdraw your active consent. You can do so here.
- You can ask information about your data (how long we keep it, why we collect that data, which people / organizations have access, etc.).
- You can ask to remove your data. This concerns data for which active consent was given or when there’s a justifiable need. Data that is needed for contract-related reasons (to send invoices or report certain technical applications, for example) are still stored.
Do you have any further questions about your specific situation (shared hosting, public cloud, private cloud, etc.? Feel free to contact us with your question.