1. My company is not established in Europe and/or does not reside in Europe. Is my company excluded from the reach of GDPR? Why?
General Data Protection Regulation (GDPR) has extraterritorial effect, and applies to companies that reside outside of Europe, but provide goods and services to residents within the European Union (EU), or monitor behaviors that take place within the Union. This means that even if your company is not established within the EU or the European Economic Area (EEA), you should assess whether your clientele include residents within the EU or EEA. If so, you are required to comply with GDPR when you process their personal data. Note that the definition of personal data is very broad in the EU, and includes data that are not commonly perceived as personal data. Such examples include pseudonymized data and IP addresses (static and dynamic).
2. What does my company need to do to be GDPR compliant?
GDPR outlines many detailed and stringent requirements. Notably, GDPR imposes significant documentation requirements, signifying that many of the compliance requirements need to be demonstrated by written documentation. To aid your understanding, these requirements can be broadly categorized into two umbrellas: privacy hygiene and data subject rights. Under the umbrella of privacy hygiene, there are requirements to maintain data processing inventory, demonstrate privacy by design and by default, conduct data protection impact assessments, report data breaches to data protection authorities within 72 hours and also to the affected clients under certain circumstances, appoint a designated Data Protection Officer (exclusions apply), maintain data security, and more. Under the umbrella of data subject rights, data subjects whose data are being processed are equipped with rights to their data, and such rights include right to access, right to rectify, right to erasure, right to information, right to restrict processing, right to withdraw consent, right to data portability and many more. Due to the complexity and the level of details contained in GDPR, it is advised that you familiarize yourself with the full text of GDPR, available here on the European Commission’s webpage. In addition to the Regulation, Article 29 Working Party also publishes guidelines to aid the interpretation of GDPR. Even though their guidelines are not binding or decisive on GDPR interpretation, their advice carries significant weight and is a reliable guide to understand GDPR. It is also worth noting that GDPR provides flexibility to the member states for some of its requirements, for example, in the area of employee data and data subject rights. This means that when member states introduce legislations to implement GDPR locally, there are areas where each member state may differ slightly from each other. Therefore, it is highly recommended that your company is aware of this flexibility and understand the differences if you operate in several different member states within the EEA.
3. What assurances or enhancements in GDPR do I benefit from using Alibaba Cloud in comparison with Alibaba Cloud’s competitors?
At Alibaba Cloud, we understand the importance of international data protection standards and will help ensure security interests for countries globally are respected. We adopt industry standards and best practices to safeguard personal data and ensure our own privacy practice meets the required laws and regulation. We are also closely monitoring countries policies to stay on top of all the changes that may impact us and our customers.
4. What support will Alibaba Cloud offer to its customers to achieve compliance when GDPR comes into effect?
Along with providing compliant hosting services, Alibaba Cloud offers privacy management guidance. Through our partnership with industry leading privacy risk management technology partners, customers can access this guidance to maintain the highest standards of data protection and privacy. We also put ourselves in our customers’ shoes, sharing our experience to help our customers.
5. Is Alibaba Cloud GDPR compliant?
Alibaba Cloud takes compliance and our customers’ privacy very seriously. Effective May 25th 2018 Alibaba Cloud services are GDPR-ready.
6. What concerns should I have regarding GDPR when comparing a Chinese IaaS provider to a European or American one?
When it comes to GDPR, there is no difference in terms of compliance requirements for IaaS Providers around the world. All IaaS providers providing products or services to an EU/EEA clientele are required to comply with GDPR.