OnApp GDPR GuideMarch 2018
OnApp is committed to GDPR compliance across its activities. We also help our customers with their GDPR compliance with the privacy and security provisions of products and agreements. This guide summarises GDPR and how OnApp helps.
1. What is GDPR and when does it apply?
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and comes into force in all EU Member States on 25 May 2018.
Regardless of where the processing of personal data takes place, GDPR applies to:
- processing by controllers and processors in the EU; and
- processing by controllers and processors not in the EU if the personal data is of data subjects who are in the EU, where the activities relate to offering goods or services to EU citizens and the monitoring of behaviour that takes place within the EU.
Non-EU businesses processing the personal data of EU citizens will have to appoint a representative located in the EU.
As an example of “processors” and “controllers” –
- OnApp asks Customer A for the name and email address of its CTO. Customer A is the “controller” of that personal data in its business, and OnApp becomes a “controller” of that data within the OnApp business.
- Customer A uses the OnApp Cloud software in its datacentre on which it hosts a payroll solution for a client. Customer A is a “processor” of personal data of which its client is the “controller”. OnApp is neither a controller or processor of the payroll data.
- Customer A uses the OnApp DRaaS product to back up its data. Customer A is the “controller” and OnApp is the “processor” – because the data now resides on OnApp hardware.
2. Key changes to data processing law
Data controllers must:
- implement effective, appropriate, technical and organisational measures to meet the requirements of the GDPR and protect the rights of data subjects;
- hold and process only the data absolutely necessary for the completion of their duties;
- limit access to personnel having a need to process the personal data;
- obtain clear consent to the purpose of the data processing which must be;
- attached to that consent,
- separate from consent to any other matters,
- clear and intelligible in plain language, and
- as easy to withdraw as it is to give.;
- notify a data breach within 72 hours of first having become aware of the breach, (data processors will also be required to notify the data controllers, “without undue delay” after first becoming aware of a data breach).
Data processors, not just data controllers, are now subject to the GDPR regime and must comply with it.
Data subjects have the right to:
- be informed (eg by a privacy notice)
- access their personal data
- rectification of inaccuracies
- erasure (to be forgotten)
- restrict processing (eg for GDPR non-compliance or inaccuracy)
- data portability (obtain and re-use) and
- object (to processing, on certain grounds).
3. Consequences of failure to comply
Organisations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.
There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting an impact assessment.
It is important to note that these rules apply to both controllers and processors – meaning ‘clouds’ will not be exempt from GDPR enforcement.
4. How OnApp Complies
For example, when you sign up as a customer of OnApp, we receive personal data from you about people in your organisation. As a data controller, we will only process that personal data for purposes specified by us for which we have received proper consent.
On the other hand, if you provide us with personal data that you control so that we can process it, then, as a data processor, we will process that personal data for the purposes specified by you and for which you have obtained consent.
If we provide personal data to our suppliers so that they can provide services to us, we will require them to process that personal data only as permitted by the data controller.
Among other actions, OnApp:
- Has a team of skilled engineers to develop and maintain security systems
- Submits the technology to testing by independent 3rd parties
- Engages lawyers who manage privacy and security compliance
- Has updated its customer agreements to reflect GDPR
- Has amended its agreements with its employees to address GDPR
- Has updated policies to manage the deletion of data
5. Customer’s Responsibilities
Customers using OnApp Services are responsible for how their data is used and processed within those Services.
Responsibilities of Data controllers include using data processors that provide sufficient assurance that they apply appropriate technical and organisational measures that meet the requirements of the GDPR.
6. Further Information
This guide is not advice and should not be relied on. You should take independent advice in respect of your rights, obligations and liabilities under GDPR.
For more detailed information refer to https://www.eugdpr.org/ and, specifically for the UK, to https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/