The new EU General Data Protection Regulation (GDPR) is due to come into effect later this week on the 25th of May, and it’s important to know how it will affect your business if you operate within the European Union and the United Kingdom.
GDPR is an answer to growing demands of better data privacy, and is designed to help protect your information and place more responsibility on the organisations that collect or process personal data. The regulations affect any business which holds customer data in any form, and the penalties for non compliance can be severe – up to €20 million, or 4% of the company’s worldwide annual revenue, whichever amount is higher!
What is the GDPR?
The General Data Protection Regulation is a regulation aimed at increasing the security of an invidivual’s information when collected by an organization that processes personal data. GDPR is also designed to give internet users more control over the way their personal data is collected and processed.
A guide describing how to prepare for GDPR has been posted by the Information Commissioner’s Office, and outlines the following rights that individuals are granted:
- the right to be informed – individuals will have the right to know how their data is being processed and why, and consent will be needed for organisations to process data
- the right of access – individuals will have the right to know what personal data is being held on them, for what purpose, and to receive a digital copy of all of their information
- the right to erasure – individuals will have the right to have their personal data erased, and halt third party processing of data
- the right to data portability – individuals will have the right to receive any personal data concerning them, and to transmit this data to another data controller
- the right to object – individuals will have the right to object to processing of their personal data, at any time
- the right to be notified of a breach – individuals will have the right to be notified of data breaches within 72 hours of the data processor being aware of the breach
In addition to the extended rights given to internet users, the European Council has also governed that organizations will now be held more responsible for the way personal information is collected, held, and processed.
You can see the ICO’s full guide here.
What kind of personal information is protected?
The definition of personal information is broad and covers a wide range of categories – generally anything that can be used to identify an individual. This includes names, identification numbers, location data, email addresses, and even IP addresses.
Another primary type of personal data is sensitive information, which generally refers to more specific information such as biometric data. The definition in the GDPR states that sensitive information is: data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
GDPR aims to protect all personal information especially sensitive information, so data processors and controllers are now obliged to be more transparent with how all customer data is collected, stored, and used.
Data Processors & Data Controllers
Such organizations are now categorized as Data Processors and Data Controllers. Different regulations apply to each role, so it’s important to understand which category your organisation falls under.
Data Controllers are responsible for controlling the collection of data as well as the overall means and purpose of said personal information, or in other words how and why the data is to be used. Controllers may also process certain personal data however in some situations the information will be passed to a third party data processor.
Data Processors are defined as organisations responsible for processing the personal information on behalf of the data controllers , usually separate entities from the data controllers themselves. Unlike the data controller, the data processor does not control the purpose or use of a set of data – they are strictly limited to processing the data in the purpose instructed by the data controller.
Our role as a data processor
UKHost4u operates as a Data Processor, while the customer is the Data Controller. This is because we process the personal information of our customers on their behalf, in strict accordance of the instructions and purposes of the customer. We also have limited knowledge of of the data our customers process via our hosting infrastructure, and we only process the necessary information required to provide service. All data is processed in our UK data centre, which is physically secured, uses strict access control, and holds an ISO 27001 certificate.
What are UKHost4u doing to be compliant with the GDPR?
Over the previous weeks and months we have been taking measures to fulfill the requirements for GDPR compliance. While no GDPR compliance certificate exists as yet, our data centre holds ISO 27001 and ISO 9001 certificates, as well as full PCI DSS compliance.
The protection of our customer’s data is of the highest priority, therefore that we have made a number of changes to our internal procedures and policies:
- Reviewed our internal usage of customer data
- Ensured that all customer data is held securely and with effective safeguards in place
- Reviewed how we obtain marketing consent, in line with the “opt-in” principle set out by GDPR
Have any questions regarding GDPR or your personal information? Contact us or leave a comment below.