The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation that provides a single, harmonized data privacy law for the European Union. The intention is to strengthen and unify data protection and to prevent the loss of personal data by improving data security for all individuals living in EU member states, now that the risk of data breaches from cyber-attacks keeps on increasing. This regulation addresses the export of personal data outside the EU. The regulation was adopted on April 27th, 2016 and it applies from May 25th, 2018. Until that date organizations have to comply with the new law. Otherwise they may face fines of up to 4% of their annual turnover or €20 million. Under GDPR the EU data protection law will apply to all foreign companies which are processing data of EU residents and they would have to comply with these regulations:
This regulation applies only if the data controller or the collector of data from EU residents, or the processor (the organization that processes data on behalf of a data controller, e.g. cloud service providers) or the data subject (person) is located in the EU. According to the European Commission “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home security (including dealing with hacks and cyber-attacks) and other issues around the processing of personal and sensitive data. They need to be independent of the organization that employs them, and that is not just an advice.
Outsourced data storage on remote clouds is practical and relatively safe, as long as only the data owner, not the cloud service, holds the decryption keys.
The GDPR refers to pseudonymisation as a process of encryption, where original data will be rendered and the process would not be reversed without access to the right decryption key. Encryption and decryption operations must be carried out locally, not by a remote service, because both keys and data must remain in the power of the data owner. Outsourced data storage on remote clouds is practical and relatively safe, as long as only the data owner, not the cloud address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
Under the GDPR, processors (e.g., many outsourced service providers) are likely to face higher costs as a direct result of the increased compliance obligations, and those costs are to be passed on to customers. The processors will have to identify their processing activities and make sure that they understand their responsibilities under the GDPR. A processor should also ensure that it has appropriate processes and templates in place for identifying, reviewing and reporting in case of data breaches to the relevant controller.
Each EU member state will have to establish an independent Supervisory Authority (SA) to investigate complaints and sanction administrative offences. The European Data Protection Board (EDPB) will be expected to coordinate all SAs. In the private sector, a person with expert knowledge of data protection law and practices should assist the controller or processor to monitor internal compliance. These people, Data Protection Officers (DPO), are to be proficient at managing IT processes, data service, and holds the decryption keys.
All Data Controllers will be under a legal obligation to notify within 72 hours the Supervisory Authority in case of a data breach. On the other hand, the data processors will have to notify the controller without undue delay after becoming aware of any personal data breach. However, the data processor or controller do not have to notify the data subjects if the breached data is considered anonymous.
GDPR and compliance on data controllers in relation to the outsourcing of data processing activities is expected to be a shared obligation. The implementation of the GDPR in practice will require comprehensive changes to business practices for companies that had not implemented a comparable level of privacy before the regulation entered into force (especially non-European companies handling EU personal data).