The introduction of the EU General Data Protection Regulation (GDPR) in a few days is a once-in-a-generation update to our existing and somewhat outdated data protection laws from 1998.
GDPR is a complex framework of requirements. At its heart is the principle of “data privacy by design and default”, which requires that any risks to personal data are mitigated before processing activities can commence.
GDPR brings with it greater rights for data subjects, allowing each citizen more visibility and control over how their personal data is processed. And as the reporters keep telling us, there are significant financial penalties available if GDPR’s requirements are not strictly complied with, or a breach of personal data takes place.
With fines as high as £17m/€20m, this should be a sufficient deterrent for organisations to take GDPR seriously and ensure that their personal data processing activities are secure and compliant.
Website operators, in the vast majority of cases, provide their services to other organisations. As such they are providing a service that is unique to each customer, and which collects, processes and stores website data in accordance with their requirements.
GDPR updates the two roles of “data controller”, meaning the organisation legally responsible for the security and protection of the personal data being processed, and “data processor”, meaning an organisation who undertakes processing on behalf of the data controller in accordance with their written instructions. This places an increased responsibility on website operators when acting as data processors, to ensure that they fully understand and deliver the services mandated by their customer.
Conversely, data controllers are required by GDPR to use only data processors who can provide sufficient guarantees that GDPR’s requirements will be met, using a combination of technical and organisational measures. This means that customers will be asking more detailed questions about the provision of website services before signing a contract, and website operators are encouraged to formulate their responses to assist their potential customers. What might be asked?
- Technical security of the website environment – which services and software underpin the website, and how are these securely designed and managed (licensing, patching testing etc)?
- Access controls and privilege management – which staff (and IT systems) are permitted to access the backend of the website, and for what purposes?
- How is the web hosting environment monitored? Can it detect unauthorised access or data breaches, such that an established data breach notification procedure can be triggered?
- How much personal data is collected and processed? Is it the minimum needed for the processing task? How long is it retained for and how is it securely disposed of?
- Where are the website and related services hosted and managed from? If outside the EU/EEA, does the country concerned provide an adequate data protection framework?
- Are there any sub-processors engaged by the website operator?
- How can the website operator assist the customer with data subject rights requests?
Whilst it’s clear that GDPR is requiring significant focus and effort from all businesses, it is entirely appropriate for the level of personal data processing in today’s world. And let’s not forget that each one of us is a data subject, and we should all have a reasonable expectation that our personal data is being kept securely, processed only for purposes we understand, and promptly deleted when no longer needed. That’s not too much to ask, is it?
Andrew Beverley is CTO of InfoSaaS, a leading provider of cloud-based solutions which are helping organisations to be fully compliant with GDPR.
Want to know more about GDOR? Check out our guide here!