There’s new data protection regulations on the horizon. The General Data Protection Regulation (GDPR) is an EU regulation which will apply to all EU member states, including the UK (despite Brexit), from 25th May 2018.
The last time data protection law was updated was the 1995 Data Protection Directive, which led to the UK’s Data Protection Act 1998. Back then, the Internet was in its infancy and most of the online services we take for granted today either didn’t exist or were new (Google for example was founded in 1998). The GDPR, around 20 years later, brings data protection up to date with the 21st century.
Skip forward to today and services like software as a service (SaaS), online storage and hosting providers (“cloud services”) are all part of our everyday use of the internet, be it using storage services like Dropbox, email services like Hotmail or hosting of our websites.
What all these kind of services have in common is that they, one way or another, allow for the processing of data away from the Data Controller’s own “in house” systems.
We’ve already written about the role of Data Controllers and Data Processors under the GPDR, with our “7 Steps” article but just to repeat, if you are processing data using a third party who is processing the data on your instructions, you are a Data Controller and the third party or third party service is a data processor.
What this means in the world of internet hosting is that cloud service providers and hosting companies who provide services which are used for the storage, processing, editing, etc. of personal data are considered Data Processors. And the GDPR introduces some interesting challenges for services of this type in their role as Data Processors (as per the “7 Steps” article).
But, as a Data Controller, you’re not let off scot-free. You will have responsibilities too with data being processed in the cloud. This article addresses one of the areas that you need to care about for your compliance: where your data is stored in terms of physical location in the world.
The transfer of data outside of the EU is not a new GDPR concept. It’s a fundamental principle of data protection in the 1995 Directive and remains so as part of the GDPR.
In a nutshell, you can’t transfer (or process) data outside the EU unless the country to which you’re sending the data has an adequate data protection regime which is similar to the EUs. If the country doesn’t have an adequate data protection regime then you shouldn’t transfer data to that country unless an approved contractual based system is in place. So, for example, US data protection is not adequate and doesn’t meet the requirements of EU rules, but US businesses can sign up to the Privacy Shield Framework to indicate they agree to process EU data in-line with EU data protection rules. Non-EU data transfer is much more complex than that, but that’s fundamentally it.
So, what’s this got to do with cloud services and data processing? Well, if you use a cloud based service to process your personal data (e.g. Dropbox, Sharepoint, MailChimp, Hubspot, Salesforce, etc.), is that storage or service provided using servers within or outside the EU?
If your data is hosted with a cloud provider where the physical servers are not within the EU, then you can’t use that service unless the appropriate GDPR compliant international transfer conditions are met (adequacy, authorised contractual relationship, etc.).
Of course, if you use a hosting provider, like Storm, whose servers are in the UK or within the EU then you can be assured that, the server location at least, is compliant from a “transfer” perspective and that’s one less thing you need to worry about. You’ll still need to carry out due diligence on these providers as you’ll need to be sure the other aspects of their services meet your obligations to be GDPR compliant, and if your data is processed on servers outside the EU, not only will you have to get the adequacy assurances, but you’ll also need to be sure that service is compliant in all the other GDPR areas too. So, what due diligence are you carrying out on your cloud provider? Are you processing data in the cloud in a GDPR compliant way? Are you using cloud services on servers outside the EU? Is your cloud processing lawful?
As a UK based hosting provider, all our servers are UK based so our hosting gives you one less thing to worry about. But that’s not all – over the coming months we’ll be producing more evidence that you can trust Storm’s services from a GDPR compliance perspective, so watch this space.
So, you do need to care where your data is stored – it’s a matter of data protection compliance and could be the difference between processing your data lawfully or receiving a breach fine.
This guest post has been written by Mark Gracey, founder of the Flavourfy Digital consultancy and the Digital Compliance Hub, an online resource to help businesses meet their digital regulatory obligations including GDPR compliance, privacy and marketing compliance and data security.