GDPR and Future Privacy Legislation: What are your Options?
by Greg Batenburg, on May 25, 2018
Furthermore, as recently seen in Mark Zuckerberg's testimony before the United States congress, other countries are beginning to take the issues of data ownership and privacy much more seriously than ever before. Go ahead and jump straight down to my thoughts about the implications of this further below, but first, here is a bit of background on the new EU legislation that may likely influence future rule-makers in the United States.
What is the GDPR?
The General Data Protection Regulation(GDPR) is a new data privacy regulation that came into effect on May 25, 2018 that aims to protect European Union citizens from privacy issues and data breaches. It is an important update to the now outdated Data Protection Directive 95/46/EC of 1995.
The GDPR is unique in that it doesn't just apply to organizations located within the EU. If a business or organization is offering goods or services to EU residents, regardless of whether payment by the data subject is required, they are affected. It is important to stress that organizations cannot simply avoid GDPR obligations because they are outside the jurisdiction of the EU. If an organization fails to comply, they could face the same consequences as an organization located in the EU.
The penalty for noncompliance is steep and is issued in a tiered approach. The maximum fine for serious infringements is up to 4% of an organizations worldwide annual revenue for the prior financial year or €20 Million, whichever is higher. These rules apply to both controllers and processors -- meaning clouds will not be exempt from GDPR enforcement.
What data is covered by the GDPR?
Virtually all data pertaining to individuals residing in the EU will be protected under the GDPR. This not only includes sensitive information such as credit card and social security numbers, but also things like names, photos, email addresses, social network posts, medical information, and IP addresses. Basically, anything that can be used both directly or indirectly to identify a person is covered.
More specifically, these are a few of the key items stipulated in the legislation:
- Consent: The subject must provide clear consent to collect information and that consent must be presented to the subject in plain language.
- Right to be Forgotten: Data subjects may ask companies to erase their personal data, halt further dissemination of the data, and have third parties cease processing of the data.
- Breach Notification: The subject is entitled to notification if data is compromised within 72 hours of the provider first becoming aware of the breach.
- Data Portability: The subject has the right to move data from one service provider to another.
- Right to Access: The subject has the right to obtain from organisations confirmation as to whether or not personal data concerning them is being processed, where and for what purpose.
Key Roles under the GDPR
To fully understand the implications of the GDPR, especially as it relates to cloud computing, you must first grasp the difference between two key roles defined in the regulation -- data processors and data controllers.
- Data Controller -is the entity that determines the purposes, conditions and means of processing personal data. Generally speaking, the GDPR treats the data controller as the party primarily responsible for activities such as collecting consent, managing consent-revoking, enabling right to access, etc. If a customer service agency, Company X, needs to retain records of customer information (e.x. phone numbers, addresses, email addresses, billing information), that company would be considered the data controller.
- Data Processor - is the entity that processes personal data on behalf of the controller. So in our example above, if Company X, chooses to employ a cloud-based computing company, Company Y, to manage its data, that company would be considered the data processor.
Now, given the example above, if a breach were to occur that compromised the data of citizens in the EU, Company X, the data controller, would be considered the primary party responsible. However, that does not mean that Company Y, the data processor, is off the hook. Under the GDPR, data processors will now be subject to penalties and civil claims if a breach or privacy issue were to occur. This is one of the key differences in the new legislation.
Implications of Using Cloud Providers
There will always be some inherent uncertainty if your organization chooses to use a cloud provider for real-time video services. Determining the extent and location of cloud data storage can prove difficult. In cloud computing, data can be distributed over a number of geographical regions and determining the location of that data is rarely straightforward and relies solely on disclosure of your provider. Often the location of the cloud computing company headquarters is different from the data centres where your data lives -- often not even in the same country. Data does not simply stay stagnant either. It can be moved from one location to another regularly or it may reside in multiple locations at once.
Under historical rules, the physical location of the data determines which jurisdictional privacy rules apply. However, under GDPR the physical location of the data subject is the decisive factor. The challenge for organizations working with cloud service providers is determining whether their data is remaining GDPR compliant throughout all geographical regions it may reside in. Under the GDPR companies are required to know where there data is, who is able to access it, and how it is being protected at all times.
Solutions for Your Organization
The uncertainty resulting from cloud-computing options can be eliminated if an organization chooses a strategy in which they control all aspects of their transmitted and stored data. Self-hosted systems help mitigate GDPR risk by giving you oversight and control over all aspects of your client's data. When you deploy your real-time video solution to a self-hosted cloud, you own the cloud infrastructure and you alone have the ability to access the data. In addition, you can also choose the geographical location of your server, further ensuring GDPR compliance.
Similarly, you can choose to deploy an on-premise solution internally within your own network on your own hardware. This option has historically been attractive to hospital systems concerned with HIPAA compliance, however, this option is also becoming popular again with organizations in the EU that want the same level of control over their client’s data.
It can be difficult to find a real-time communication solution that gives you the flexibility to choose how your data is handled. With Frozen Mountain’s LiveSwitch, you can choose to self-host on cloud infrastructure of your choice (e.g: AWS, Microsoft Azure, Oracle) or deploy on your own on-premise hardware. Not only does this help to ensure GDPR compliance and customer security but it is also often more cost effective than pay-per-minute platform-as-a-service (PaaS) cloud providers.
Overall, there are several routes an organization can take when creating a GDPR compliant real-time communication application - do your research and find the one that gives you the best flexibility and control over your data.