What is GDPR?

The European Union’s General Data Protection Regulation (GDPR) will take effect on May 25, 2018, which will replace the EU Data Protection Directive 95/46/EC. The GDPR applies to any company that has operations in the EU, and can also apply to non-EU companies that offer goods or services to EU residents or who monitor the behavior of EU residents, such as their online activities.

What does it cover?

These protected EU residents are called “Data Subjects” within the GDPR. The GDPR applies not only to companies collecting the personal data of EU residents (“Controllers”), but also any company processing that data (“Processors”). Under the GDPR definitions, Connectria could potentially be considered a Processor for any of our customers who are acting as a Controller, and who have engaged Connectria to act on their behalf to process the data of EU Data Subjects.

What is required?

Any Controller that wishes to have a company act as their Processor, is required to have a written agreement between the parties, which states that the Processor guarantees that it will follow the GDPR regulations, and among other things will:

  • Only act on the Controller’s documented instructions;
  • Impose confidentiality obligations on all personnel who process the relevant data;
  • Ensure the security of the personal data that it processes;
  • Abide by the rules regarding appointment of sub-processors;
  • Implement measures to assist the controller in complying with the rights of Data Subjects;
  • Assist the controller in obtaining approval from EU Data Protection Authorities (DPAs) where required;
  • At the Controller’s election, either return or destroy the personal data at the end of the relationship (except as required by EU or Member State law); and
  • Provide the Controller with all information necessary to demonstrate compliance with the GDPR.

In these types of scenarios, Controllers and Processors would implement the appropriate technical and organizational measures to ensure a level of security is in place that is appropriate to the risk, after taking into account the state of the art, and the implementation costs of various security controls, among other factors.

Some of these security measures include:

  • Encryption of personal data;
  • Data protection systems to ensure for the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • Systems to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

How Connectria can help

If your organization is required to adhere to GDPR, Connectria can help. If you are a Connectria customer who is required to adhere to the GDPR, please contact us as soon as possible to begin the process to ensure your compliance. We are a Processor for many companies worldwide, with more than 20 years-experience in security and compliance including EU data privacy and security. Our first hosting customer was Deutsche Bank, who in 1998 was the world’s largest bank based in Germany. We were required to meet their strict banking industry security requirements, and we have since become the industry leader in security compliance hosting with more than 1,000 customers worldwide. We maintain numerous security compliance certifications including SSAE 18 SOC 1 & 2, ISO 27001, PCI-DSS, HIPAA/HITECH, FISMA, and FERPA among others.

Please Note: There currently is no specific compliance test to demonstrate GDPR Compliance, so it is up to each Controller and Processor to implement the security controls appropriate to protect the type of data they are processing, and minimize the potential risks.