On May 25th 2018 the European Union General Data Protection Regulation (GDPR) came into effect. One of the purposes of this regulation is to better protect the personal data of EU subjects. If you have been working in the IT department of an EU organization any time in the past two years, there is little chance you missed these four letters.
Here at Cyren we understand these issues better than most – we have had cloud security data centers in the EU for many years now. But we are starting to realize that there are significant differences in how vendors are implementing GDPR, issues that you should understand.
GDPR introduces complexities for SaaS provider-customer relationships
Protecting personal data has different meanings to different people and organizations. For GDPR purposes, personal data means any information relating to an identified or identifiable person that can directly or indirectly identify them. As well as the obvious, such as an email address, this can include information like location data or an online identifier. The protection of this data is the responsibility of data controllers (for the purposes of this discussion, usually the organizations who own the data related to their employees) and data processors (usually the vendors or service providers who process the data for the data controllers). GDPR requires that data processors only process data in accordance with instructions and permission of the controller. This new regulation indeed poses complicated challenges for both data controllers and data processors.
Where will your data reside after May 25?
Here is the critical point – GDPR does NOT require personal data to be kept in the EU. Instead it requires data processors to inform the controller where the data is processed and request consent from the data controller to do so. Some data processors have invested a lot of time and effort changing their infrastructure, services and workflows in order to ensure that personal data is processed in the EU. Others, who are unable (or unwilling) to make these adjustments, simply notify their data controller customers that they are sending data outside the EU, and ask for consent. In both cases, appropriate security measures to safeguard personal data are required. We are finding that there is a big difference between what organizations think of as “GDPR compliance”, and what they will eventually get.
Different countries are not treated equally by GDPR. The regulation defines different regions:
It starts with the European Economic Area (EEA). Data residing in these countries is governed by EU privacy rules and therefore may be transferred within the EEA without imposing additional security measures. However, some organizations still prefer and/or require that data stay in their specific country.
The second level are countries (i.e. Canada and Israel), that the EU Commission has decided provide an adequate level of protection and therefore additional security measures for transfer (such as the US-EU Privacy Shield or EU Standard Contractual Clauses need not be implemented).
The third level are those countries (i.e. the US and China), which are not deemed to have an adequate level of protection. In order to process data in these countries, additional measures must be in place such as US-EU Privacy Shield, binding corporate rules or EU Standard Contractual Clauses.
Who is accessing your data?
For GDPR, data processing doesn’t just address the place in which the data is stored. It is also concerned with the locations of the people who access the data (since accessing data is considered to be ‘processing’). So, when working with a SaaS provider ask yourself the following questions:
Where is the support team located and who can view or obtain personal data during the support process?
Where are the devops people who can access production data?
Where are sub-processors located? Sub-processors are service providers used by your SaaS provider for things like data cleansing or account research, and these groups may expose personal data to other third parties (e.g. a support service that is provided by a subcontractor, or a cloud-based CRM system).
What are your goals for GDPR compliance?
I tried simplifying all the above definitions, but the question remains – what are you trying to achieve for your organization when it comes to GDPR?
When people ask me this question, they usually mean “do you keep my data in the EU?”, as this is their main desired outcome of GDPR. The reason they want to keep the data in the EU comes from two basic concerns:
Lack of trust in the security agencies of countries outside the EU
The belief that in other places without adequate regulations, the data is not safe enough
Therefore, even if a US-based data processor issued the Privacy Shield Framework certification and transfers the data according to that framework, it still means data is transferred to the U.S, something that many people tried to avoid in the first place.
GDPR is non-trivial for service providers
From a service provider point of view, achieving the goal of keeping personal data only in the EU is not a simple task. I’ll use Cyren as an example. In the past year a major part of Cyren’s R&D, Detection, Cloud Operations and IT departments’ efforts have been invested in creating the right infrastructure that will allow us to keep personal data in the EU for a number of our service offerings. Having a global cloud infrastructure for both threat detection and web and email security solutions, makes it a complicated task. The target was clear – having the ability to state that Cyren processes our customers’ personal data in the EU.
Do your service providers help you meet your GDPR goals?
Once you have figured out what your goals are for GDPR compliance, you should check what each of your service providers and vendors offer in terms of their GDPR compliance and how they can support you.
To explain how accurate we (as a data processor) are, in our DPA we created a table with each of our products and services and specified exactly what processing of personal data we do within each. Some services are provided entirely from the EU, some are provided from the U.S and some are provided from the EU, but in case you need tier 3 or tier 4 support, it may go to an Adequate Jurisdiction. If support personnel has access to personal data of users (email address by itself is enough to answer this definition), then the location of the support team is important. The data processor has a responsibility to provide the correct statement regarding the data processing location.
The real goal is data privacy
Cyren’s work around GDPR also affected many individual features in our services, which support our customers’ efforts to protect the privacy of their employees. As an example, we extended our administrator permissions model and created a Data Guardian role. Only administrators with this permission can see the real users’ names in reports, while the rest of the administrators see obfuscated names. This complements a similar permission, that protects users’ privacy in our email archiving service and is just one of the many ways that we listen to our customers’ requirements.
There are of course additional requirements and additional development we had to do in order to support the GDPR, however, it will always begin with the question – what does GDPR compliance mean to you?
Read more about how Cyren can help simplify your GDPR compliance efforts.