In May 2016, the new EU General Data Protection Regulation (EU-GDPR) took effect. Within two years, affected companies and in particular providers of storage solutions must ensure that their services conform to the new laws. For example, there is a requirement that the location of the server is no longer definitive for the application of the data protection directive, but rather the location of the user. This has wide-ranging consequences for the field of data forwarding, management, and potential necessity for future deletion. Violations can lead to fines in the millions. We explain the essential changes and potential consequences for your company so that you can take timely action.
With the new laws, which will apply in their final form in mid-2018, EU citizens once again have control over their sensitive data. Credits: Fotolia | © Grecaud Paul
- Overview of the most important changes to the EU-GDPR
- Check early whether your data is affected
- Differences between data protection law in the US and Germany
- What to do if relocation is necessary?
After years of discussion across Europe, the new EU General Data Protection Regulation was approved in May 2016. While it has the goal of strengthening the rights of EU citizens and protecting them against data abuse and security risks, some companies need to take substantial efforts to comply with the regulation. One of the essential changes is that when the data protection laws are applied, the location of the server is no longer definitive, but rather the permanent residence of the user. This means that EU citizens have some rights that can be more extensive than those of other users of the same services. Also important is that potential violations of the regulation threaten significant fines of up to 4% of annual sales or 20 million euro, whichever is greater. The fine can thus easily reach hundreds of millions of euros for large companies. This is because it applies to the annual sales of the entire company, not just an individual legal person or sub-corporation.
The new regulation of the data protection law does provide for individual national regulations in some cases. Overall, however, the regulation that took force on 25/05/2016 applies uniformly across Europe, with an initial grace period of 2 years, through May 2018.
Other important changes within the new regulation that affect both your business customers and potential end customers are:
- Consent & right to information: Customers of your company must explicitly consent to the storage of their data and can request information at any time about what information you have stored about them.
- Data transferability: Customers should have the principle ability to transfer their data, exactly as they are, to another provider. How exactly this is to be done has not yet been clarified.
- Right to be forgotten: Customers of your company must have the ability at any time “to be forgotten”. This means that all data that relates to the customer and is not needed (anymore) to execute the business relationship must be deleted by you upon request. This applies not only to the master data, but also ordering histories, complaint records, and sales numbers. If you have already transmitted the data to third parties, you must also actively see to it being deleted for the affected party and must confirm the same to the affected party.
- Minimum age: Depending on the member state, your customers must have reached a minimum age of 13 or 16 when registering, and this must be proven by suitable means.
- Local complaints: Customers can report incidents to their local data protection office in their own language, and do not need to address you directly.
- Discovered security gaps and successful hacker attacks: These must be reported to the responsible authorities immediately, and not just in critical cases, if customer data is affected.
- Operational data protection officer: It is mandatory to assign one, if you pursue activities that can involve data protection risk (for example, if you collect bank and bank account data).
- EU representative: Foreign companies without a location or headquarters in the EU must assign an EU representative in most cases.
A whole range of new laws and regulations from the EU have to do with data storage. For a long time the laws have been different here than in the US. Credits: Fotolia | © vege
While the essential laws about data protection in Germany and Europe are derived from the fundamental right to informational self-determination, data protection in the USA is more a result of consumer protection laws. The converse argument implies that on the other side of the Atlantic, data protection is viewed more pragmatically and companies are subjected more to negotiated agreements than to strictly regimented laws.
The main differences between the two continents look like this:
|Germany/Europe||US (+ some other countries)|
|Federal Data Protection Law (BDSG), EU-GDPR||Data protection has no legislative foundation|
|Subject to EU rules and regulations||US government has wide-ranging freedom of action to monitor data traffic thanks to the “Patriot Act”|
|Data secrecy is largely ensured||Data secrecy as such is pretty much unknown|
|Right to informational self-determination||Self-regulation of market participants|
|Federal Office for Information Security||No (independent) agency has responsibility for data protection|
|Data typically remains within the data protection boundaries of a country||Data is transmitted worldwide with no limitations and stored “somewhere” as needed|
|Penalties and orders, regulatory approach||“Blame and shame” process (virtual pillory in case of violations), pragmatic approach|
|Agencies must be informed immediately when sensitive data is at risk||Internal attempts to fix data leaks first, before an agency needs to be involved|
|Laws are applied regardless of any possible encryption||Unencrypted data is rarely considered worthy of protection|
Table: Comparison of data protection laws in the US and Europe1
In the USA, the interests of companies and security agencies are protected above all, and data protection is treated relatively carelessly in practice. The EU, and Germany in particular, focus on the rights of individuals and data protection is considered a fundamental human right.
Data protection and security
First of all, you need to decide precisely which provider you will trust to work with you to protect your internal company data. To do so, you should ask the following questions when selecting your cloud provider:
- Is the provider located in the EU, or even better, in Germany? The laws that apply in this country are often simply not familiar (enough) to providers in other countries. Nevertheless, as a company owner you are responsible for compliance when it comes to your customers’ data.
- Can the intended solution also function without an active Internet connection?
- Is the data encrypted for transmission? What standard is it based on?
- Is the transmission of data limited to only what is absolutely necessary?
- Is the data encrypted whenever it is saved by the provider? What security standard is used?
- Does the provider have an interest in keeping your data secure, or might it benefit from the data that you upload (for advertising, tracking, selling data, spying?)
- Can it guarantee that it works to the new EU-GDPR (2018) and will help you with compliance?
If you have made user data accessible in a public cloud, and it has potentially been transmitted to other countries outside the EU, you will most probably be in violation of the law no later than the middle of 2018. If the provider there is not able, or refuses, to work to the EU standard, then you might even be required to request that the data be deleted and enforce that request. This cannot only take a lot of time in some cases, but it can also become very expensive.
Once the data is in a public cloud, it is no longer sufficient to just delete it locally. Credits: Fotolia | © momius
- Clarify which data has already been transmitted where, and to what extent you can replace the current solution with a cloud located in Germany.
- Identify the prerequisites for an appropriate level of data protection under the new EU regulation.
- If you decide to use cloudplan: have one of our consultants present a customised solution for you and install it at your location if desired.
- Test the solution(s) with real data.
- Transfer back the data stored elsewhere out of the clouds and onto your own systems.
- Load particular, non-sensitive data to a public cloud, if desired.
- Request that your previous provider deletes the existing data, referencing applicable EU data protection law (so-called revocation of consent).
- Also request that the provider deletes the data completely from third-party systems, or confirms that your data has not fallen into the hands of any third parties.
- Have all deletion procedures confirmed in writing once they are complete and search for parts of the data on Google, for example, in order to check.
Cloudplan is happy to help you with the execution of such deletion and transfer procedures and will provide individual advice on what procedure makes the most sense in your case.