Personal data breach contracts and cloud services raise many questions with regards to GDPR, even though they only make up a fraction of the aspects needed to be considered in the data protection regulation. In this blog we will go through a few points on these subjects that have raised the most questions within our customers.
After the discovery of a data breach or with a justifiable reason to suspect a data breach, organizations are legally required to inform a supervisory authority within the following 72 hours. If the data breach is likely to lead to a serious risk of compromising data subjects’ fundamental rights and freedoms, the data subjects must be informed and directed to minimize damage.
The concealment or negligence of discovering the data breach results in the right for authorities to impose administrative penalties as stated in the regulation. In practice, the penalties are imposed through fines that take the circumstances of each data breach into consideration or by enforcing corrective actions for personal data processing.
The supervising authority can also suspend personal data processing. Sanctions for data breach are also possible in cases where the controller has had sufficient encryption or protection of personal data, but this encryption or protection has been unmaintained, poorly maintained or neglected. Moreover, the suffering party of the data breach has the right to seek compensation from the controller or the processor. Therefore, it is more than wise to create a process for the possible event of a data breach.
Outsourcing and responsibilities
Nearly all organizations use outsourced services. Liability with regards to externalized service providers and the degree to which responsibility can be outsourced to a service provider remain unclear for many. It should be made clear that the controller is responsible for the processing of personal data and that responsibility cannot be outsourced.
The responsibility remains with the organization itself. Possible compensation can be agreed upon separately. In this context, it is vital to have personal data processing responsibility and duty clauses stated on contracts made with service providers.
GDPR sets certain requirements for the contents of this contract. If a company has outsourced its data processing to a third party, it is recommended to review these contracts and validate that they comply with the data protection regulation. Such an external data processor can be, for instance, a company payroll service provider, a cloud service provider or an outsourced sales and marketing agency.
According to the regulation, when outsourcing the processing of personal data, the controller (the one who mandates to or on whose behalf the register is created) and the processor (the one who records, collates, uses and/or retains data) must formally agree on at least the following aspects:
- Subject-matter and duration of processing
- Nature and purposes of processing
- Type of personal data and the categories of data subjects
- Obligations and rights of the controller
It is highly recommended to add references that your organization will be GDPR compliant by at least May of 2018 in all future contracts.
“Typically, a public cloud service provider retains the rights to change their terms of use as they wish including the right to transfer data outside of the EU/EEA area. So, how should one react to something like this?”
According to GDPR, the controller and the personal data processor need to know where the personal data is processed and stored. The option to transfer data outside the European Economic Area has been drastically limited in the new regulation. Cloud computing services may use servers located outside the EU/EEA area. Furthermore, cloud service providers’ data processing equipment may be controlled by service providers that come from outside the EU area. In this instance, the transferring of personal data must take place within the data transferring frameworks set in the data protection regulation.
As the introduction of the new regulation creates new obligations for companies with added administrative work, the planning and execution of GDPR compliance should be started as soon as possible. The window given to transition to GDRP is a year, meaning that the time to become GDPR compliant is rather short. Now is the time to act. The analysis of current data security and protection status by an external specialist is a recommended first step. We are more than happy to help you get ready for GDPR!
Contact Information:
Piia Hoffsten
Chief Operating Officer
piia.hoffsten (a) isletgroup.fi
+358 40 5877 303
Buzzwords: #GDPR #dataprotection #cybersecurity #datasecurity #privacy #processes #databreach