What is GDPR?
At its core, GDPR is a new set of rules designed to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy.
If your company does any form of trade with customers within the EU, then GDPR rules will apply to you.
Failure to comply could result in organizations being fined up to 20 million euros or four percent of annual global turnover – whichever is higher.
Why is the GDPR needed?
Data breaches always happen. Information gets lost, stolen or otherwise released into the hands of people who were never intended to see it and those people often have malicious intent.
Under the terms of GDPR, not only will organizations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it will be obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners or face penalties for not doing so.
Will the GDPR impact my company?
The short answer is that if your company does any form of trade with customers within the EU, then GDPR rules will apply to you. To ensure that your business is GDPR compliant, it is essential that you review your consent policies and procedures to verify that these meet the new higher standards.
The risk to your company? High levels of fines as well as damage to your brand and reputation.
What are the new requirements?
Privacy by Design – Privacy by Design (PbD) has always played a part in EU data regulations. By with the new law, its principles of minimizing data collection and retention and gaining consent from consumers when processing data are more explicitly formalized.
Data Protection Impact Assessments (DPIA) – When certain data associated with subjects is to be processed, companies will have to first analyze the risks to their privacy. This is another new requirement in the regulation.
Right to Erasure and To Be Forgotten – There’s been a long-standing requirement in the DPD allowing consumers to request that their data be deleted. The GDPR extends this right to include data published on the web. This is the still controversial right to stay out of the public view and “be forgotten”.
Extraterritoriality – The new principle of extraterritoriality in the GDPR says that even if a company doesn’t have a physical presence in the EU but collects data about EU data subjects — for example, through a website—then all the requirements of GDPR are in effect. In other words, the new law will extend outside the EU. This will especially affect e-commerce companies and other cloud businesses.
Breach notification – A new requirement not in the existing DPD is that companies will have to notify data authorities within 72 hours after a breach of personal data has been discovered. Data subjects will also have to notified but only if the data poses a “high risk to their rights and freedoms”.
Fines – The GDPR has a tiered penalty structure that will take a large bite out of offender’s funds. More serious infringements can merit a fine of up to 4% of a company’s global revenue. This can include violations of basic principles related to data security — especially PbD principles. A lesser fine of up to 2% of global revenue — still enormous — can be issued if company records are not in order or a supervising authority and data subjects are not notified after a breach. This makes breach notification oversights a serious and expensive offense.
When it comes to customer data, is Quantic Dynamics a controller or a processor?
Under the GDPR, a “controller” determines why and how personal data is processed. A “processor” processes personal data on behalf of the controller. Quantic Dynamics has limited knowledge of the data that each customer processes via the hosting infrastructure (“Customer Data”). Also, Quantic Dynamics only processes Customer Data in accordance with the customer’s instructions. Therefore, Quantic Dynamics is a processor of Customer Data hosted at Quantic Dynamics; the customer is a controller.
Will GDPR change the way Quantic Dynamics treats customer data?
Quantic Dynamics continues to treat customer data with the required level of sensitivity and confidentiality. Quantic Dynamics will continue to invest in the security of its customer solutions to ensure it remains compliant with applicable legislation.
Do you have other data centers within the EU where I can store my data?
Yes, Quantic Dynamics has virtual data centers in EU, to provide our customers additional options for an EU footprint.
What services does Quantic Dynamics offer to help me comply with GDPR?
First, review the GDPR to determine whether it applies to your organization. If GDPR applies, make sure that you implement appropriate technical and organizational measures to ensure and demonstrate that any data processing is performed in compliance with GDPR.
Please feel free to reach out to a representative at Quantic Dynamics so that we can help tailor a solution to fit your business needs. While we cannot ensure that your company is GDPR-compliant, we do offer many products and services that can help you meet some of the GDPR requirements. You should always work with a legally qualified professional to discuss GDPR, how it applies specifically to your organization and how best to ensure compliance. You can read more about our GDPR Compliance Services here.
How do I update my current agreement with Quantic Dynamics in light of GDPR?
We have a new Data Processing Addendum that will meet the requirements of the GDPR. By signing our Cloud Services Agreement, you are automatically accepting our Data Processing Addendum and do not need to sign a separate document. You can read our Data Processing Addendum here.