Overview
The General Data Protection Regulation (GDPR) is the most significant legislative change in European data protection laws since the EU Data Protection Directive (Directive 95/46/EC), introduced in 1995. The GDPR became enforceable on May 25, 2018, strengthens the security and protection of personal data in the EU and serves as a single piece of legislation for all of the EU. It replaced the EU Data Protection Directive and all the local laws relating to it.
Uvation supports the GDPR and all Uvation services comply with its provisions. Not only is the GDPR an important step in protecting the fundamental right of privacy for European citizens, it has raised the bar for data protection, security and compliance in the industry.
The General Data Protection Regulation (GDPR) introduces new rules for organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data for EU residents no matter where you or your enterprise are located. This document guides you to information to help you honor rights and fulfill obligations under the GDPR when using our products and services.
Terminology
Helpful definitions for GDPR terms used in this document:
What is the GDPR?
The GDPR gives rights to people to manage personal data collected by an organization. These rights can be exercised through a Data Subject Request (DSR). The organization is required to provide timely information regarding DSRs and data breaches, and perform Data Protection Impact Assessments (DPIAs).
Several points should be considered when implementing or assessing GDPR requirements:
The following tasks are involved to meet GDPR standards.
Data Subject Request (DSR)
The GDPR grants individuals (or data subjects) certain rights in connection with the processing of their personal data, including the right to correct inaccurate data, erase data or restrict its processing, receive their data and fulfill a request to transmit their data to another controller. The controller is responsible for providing a timely, GDPR consistent reply.
DSR FAQs
What actions will be required to complete a DSR?
DSRs involve six activities: Discovery, Access, Rectification, Restriction, Export, and Deletion.
What are your data sources?
A large fraction of an organization’s data is generated in Uvation Cloud Services. You may also find data relevant to a DSR in generated by Uvation’s products and services, and system-generated logs.
What kinds of data need to be searched?
Personal data may be found in customer data generated by Uvation’s products and services, and system-generated logs.
How will personal data be searched?
Searching for personal data may vary across our products and services. Administrators may access system-generated logs associated with a user’s activity.
In what formats should personal data be made available?
The GDPR ‘right of data portability’ allows a data subject to request a copy of personal data in a ‘structured, commonly used, machine-readable format’, and to request that your organization transmit these files to another data controller.
What does the GDPR require and what are my responsibilities as the controller?
As controller, the GDPR requires you to be able to:
What does the GDPR require and what are the responsibilities of Uvation as processor?
We must implement the appropriate technical and organizational measures to assist you in responding to requests from data subjects exercising their rights as discussed above.
How does Uvation enable you to respond to data subject requests?
Online Services offers a host of capabilities to enable you, as a controller, to respond to a data subject’s request. Uvation’s enterprise online services and administrative controls help you act on personal data responsive to data subject rights requests, allowing you to discover, access, rectify, restrict, delete, and export personal data that resides in the controller-managed data stored in Uvation’s cloud & Datacenters. Online Services also provides data in machine-readable form should you need it.
Data Protection Impact Assessment
Under GDPR, data controllers are required to prepare a Data Protection Impact Assessment (DPIA) for processing operations that are ‘likely to result in a high risk to the rights and freedoms of natural persons.’ There is nothing inherent in Uvation products and services that need the creation of a DPIA. Rather, it depends on the details of your systems configuration.
DPIA FAQs
When should you conduct a DPIA?
Controllers are required to perform a DPIA addressing risks to personal data security or as a result of a data breach.
What is required to complete a DPIA?
The GDPR mandates that a DPIA includes:
What are my responsibilities as a Controller?
Under the GDPR, as a controller you are required to undertake DPIAs prior to data processing that is likely to result in a high risk to the rights and freedoms of individuals—in particular, processing using new technologies. The GDPR provides the following non-exhaustive list of cases in which DPIAs must be carried out:
The GDPR also requires that you must consult with your Data Protection Authority (DPA) before you begin any processing if you cannot identify sufficient processes to minimize high risks to data subjects.
What are the responsibilities of Uvation?
Uvation practices privacy by design and privacy by default in its engineering and business functions. As part of these efforts, Uvation performs comprehensive privacy reviews on data processing operations that have the potential to cause impacts to the rights and freedoms of data subjects. Privacy teams embedded in the service groups review the design and implementation of services to ensure that personal data is processed in a respectful manner that accords with international law, user expectations, and our express commitments.
These privacy reviews tend to be granular — a particular service may receive dozens or hundreds of reviews. Uvation rolls up these granular privacy reviews into Data Protection Impact Assessments (DPIAs) that cover major groupings of processing, which the Uvation EU Data Protection Officer (DPO) then reviews. The DPO assesses the risks related to the data processing to ensure that sufficient mitigations are in place. If the DPO finds unmitigated risks, changes are recommended back to the engineering group. DPIAs will be reviewed and updated as data protection risks change.
Uvation, as a processor, has a duty to assist controllers in ensuring compliance with the DPIA requirements laid out in the GDPR. To support our customers, relevant sections of Uvation’s DPIAs are abstracted and will be provided through this section in future updates with the intent of allowing controllers relying on Uvation services to leverage the abstracts in order to create their own DPIAs.
Breach Notification
The GDPR mandates notification requirements for data controllers and processors for a breach of personal data. As a data processor, Uvation ensures that customers are able to meet the GDPR’s breach notification requirements. Data controllers are responsible for assessing risks to data privacy and determining whether a breach requires notification of a customer’s DPA. Uvation provides the information needed to make that assessment.
Breach notification FAQs
What constitutes a breach of personal data under the GDPR?
Personal data means any information related to an individual that can be used to identify them directly or indirectly. A personal data breach is ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.’
What are your responsibilities as the controller?
If a breach of personal data that is likely to result in a high risk to the rights and freedoms of individuals (such as discrimination, identity theft, fraud, financial loss, or damage to their reputation) occurs, the GDPR requires you to:
What are the responsibilities of Uvation as the processor?
After we become aware of a personal data breach, the GDPR requires us to notify you without undue delay. Where Uvation is a processor our obligations reflect both GDPR requirements and our standard, worldwide contractual provisions. We consider that all confirmed personal data breaches are in scope; there is no risk of harm threshold. We will notify our customers whether the data breach was suffered by Uvation directly or by any of our sub-processors. We have processes in place to quickly identify and contact security incident personnel you’ve identified in your organization. In addition, all sub-processors are contractually obliged to report their own breaches to Uvation, and provide guarantees to that effect.
How will Uvation detect a data breach?
All our services and personnel follow internal incident management procedures to ensure that we take proper precautions to avoid data breaches in the first place. However, in addition, Online Services have specific security controls in place across our platforms to detect data breaches in the rare event that they occur.
How will Uvation respond to a data breach?
To support you for a breach of personal data Uvation has: – Security personnel trained on the specific procedures to follow. – Has policies, procedures, and controls in place to ensure that Uvation maintains detailed records. This response includes documentation that captures the facts of the incident, its effects, and remedial action, as well as tracking and storing information in our incident management systems.
How will Uvation notify me in the event of a data breach?
Uvation has policies and procedures in place to notify you promptly. To satisfy your notice requirements to the DPA, we will provide a description of the process we used to determine if a breach of personal data has occurred, a description of the nature of the breach and a description of the measures we took to mitigate the breach.
GDPR FAQs
Does Uvation make commitments to its customers with regard to the GDPR?
Yes. The GDPR requires controllers (such as organizations using Uvation’s enterprise online services) only use processors (such as Uvation) that provide sufficient guarantees to meet key requirements of the GDPR. Uvation has taken the proactive step of providing these commitments to all customers as part of their agreements.
How does Uvation help me comply?
Uvation provides tools and documentation to support your GDPR accountability. This includes support for Data Subject Rights, performing your own Data Protection Impact Assessments, and working together to resolve personal data breaches.
What commitments are in the GDPR Terms?
Uvation’s GDPR Terms reflect the commitments required of processors in Article 28. Article 28 requires that processors commit to:
Under what basis does Uvation facilitate the transfer of personal data outside of the EU?
Uvation has long used the Standard Contractual Clauses (also known as the Model Clauses) as a basis for transfer of data for its enterprise online services. The Standard Contractual Clauses are standard terms provided by the European Commission that can be used to transfer data outside the European Economic Area in a compliant manner. Uvation has incorporated the Standard Contractual Clauses into all of our agreements. The EU-US Privacy Shield helps customers that want to transfer their data to the US do so in a manner consistent with their data protection obligations.
What are the other Uvation compliance offerings?
As a global company with customers in many countries in the world, Uvation has a robust compliance portfolio to assist our customers. To view a complete list of our compliance offerings including HIPAA/HITECH, ISO 27001, ISO 27002, ISO 27018, NIST 800-171, and many others visit our Compliance page.
How will GDPR affect my company?
The GDPR imposes a wide range of requirements on organizations that collect or process personal data, including a requirement to comply with six key principles:
You will need to understand what your organization’s specific obligations are to the GDPR are and how you will meet them, though Uvation is here to help you on your GDPR journey.
What rights must companies enable under GDPR?
The GDPR provides EU residents with control over their personal data through a set of ‘data subject rights’. This includes the right to:
What are Processors and Controllers?
A controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. A processor is a natural or legal person, public authority, agency, or other body, which processes personal data on behalf of the controller.
Does the GDPR apply to Processors and Controllers?
Yes, the GDPR applies to both controllers and processors. Controllers must only use processors that take measures to meet the requirements of the GDPR. Under the GDPR, processors face additional duties and liability for noncompliance, or acting outside of instructions provided by the controller, as compared to the Data Protection Directive. Processor duties include, but are not limited to:
How much can companies be fined for noncompliance?
Companies can be fined up to €20m or 4% of annual global turnover, whichever is greater, for failure to meet certain GDPR requirements. Additional individual remedies could increase your risk if you fail to adhere to GDPR requirements.
Does my business need to appoint a Data Protection Officer (DPO)?
It depends on several factors identified within the regulation. Article 37 of the GDPR states that controllers and processors shall designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offenses referred to in Article 10.
How much will it cost to meet compliance with the GDPR?
Meeting compliance with the GDPR will cost time and money for most organizations, though it may be a smoother transition for those who are operating in a well-architected cloud services model and have an effective data governance program in place.
How do I know if the data that my organization is processing is covered by the GDPR?
The GDPR regulates the collection, storage, use, and sharing of ‘personal data’. Personal data is defined broadly under the GDPR as any data that relates to an identified or identifiable natural person.
Personal data can include, but is not limited to, online identifiers (for example, IP addresses), employee information, sales databases, customer services data, customer feedback forms, location data, biometric data, CCTV footage, loyalty scheme records, health, and financial information and much more. It can even include information that does not appear to be personal – such as a photo of a landscape without people – where that information is linked by an account number or unique code to an identifiable individual. And even personal data that has been pseudonymized can be personal data if the pseudonym can be linked to a particular individual.
Processing of certain “special” categories of personal data – such as personal data that reveals a person’s racial or ethnic origin, or concerns their health or sexual orientation – is subject to more stringent rules than the processing of “ordinary” personal data. This evaluation of personal data is highly fact-specific, so we recommend engaging an expert to evaluate your specific circumstances.
My organization is only processing data on behalf of others. Does it still need to comply with the GDPR?
Yes. Although the rules differ somewhat, the GDPR applies to organizations that collect and process data for their own purposes (‘controllers’) as well as to organizations that process data on behalf of others (‘processors’). This requirement is a shift from the existing Data Protection Directive, which applies to controllers.
What specifically is deemed personal data?
Personal data is any information relating to an identified or identifiable person. There is no distinction between a person’s private, public, or work roles. Personal data can include:
Am I allowed to transfer data outside of the EU?
Yes, however the GDPR strictly regulates transfers of personal data of European residents to destinations outside the European Economic Area. You may need to set up a specific legal mechanism, such as a contract, or adhere to a certification mechanism in order to enable these transfers. Uvation details the mechanisms we use in the Online Services Terms.
I have data retention requirements through compliance. Do these requirements override the right to erasure?
Where there are legitimate grounds for continued processing and data retention, such as ‘for compliance with a legal obligation, which requires processing by Union or Member State law to which the controller is subject’ (Article 17(3)(b)), the GDPR recognizes that organizations may be required to retain data. You should, however, make sure you engage your legal counsel to ensure that the grounds for retention are weighed against the rights and freedoms of the data subjects, their expectations at the time the data was collected, etc.
Does the GDPR deal with encryption?
Encryption is identified in the GDPR as a protective measure that renders personal data unintelligible when it is affected by a breach. Therefore, whether or not encryption is used may impact requirements for notification of a personal data breach. The GDPR also points to encryption as an appropriate technical or organizational measure in some cases, depending on the risk. Encryption is also a requirement through the Payment Card Industry Data Security Standard and part of the strict compliance guidelines specific to the financial services industry. Uvation products and services such as Cloud and Web Services offer robust encryption for data in transit and data at rest.
How does the GDPR change an organization’s response to personal data breaches?
The GDPR will change data protection requirements and make stricter obligations for processors and controllers regarding notice of personal data breaches. Under the new regulation, the processor must notify the data controller of a personal data breach, after having become aware of it, without undue delay. Once aware of a personal data breach, the controller must notify the relevant data protection authority within 72 hours. If the breach is likely to result in a high risk to the rights and freedoms of individuals, controllers will also need to notify impacted individuals without undue delay. Additional guidance on this topic is being developed by the EU’s Article 29 Working Party.
Uvation products and services—such as Cloud or Web Services —have solutions available today to help you detect and assess security threats and breaches and meet the GDPR’s breach notification obligations.
