What is the EU GDPR?
The EU GDPR is a consolidated legal framework intend to ensure the protection of “fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data”. It is a mandatory law requiring compliance with provisions that apply throughout the European Union to the business usage of personal data. It will replace the patchwork of existing regulations and frameworks. The GDPR replaces the 20-year-old Directive (95/46/EC).
The deadline for compliance is May 25, 2018.
The territorial scope of this new law is broader than the one of the Directive. It also imposes new obligations on organization processing data, so most organizations will have to make some changes to their privacy programs to ensure GDPR compliance:
- The GDPR’s scope includes monitoring the behavior of Individuals in the EU, even if it is done by Data Controllers located outside of the EU, so the applicability is broad and encompassing. Practically every website and app tracks digital activities of its visitors in some fashion.
- The GDPR now extends the current due diligence obligations and adds potential liability to Data Processors, not just Data Controllers. Data Controllers are obligated to engage Data Processors who meet the security of data processing standards.
- At the first time, the GDPR brings out a general data breach notification standards. It is required that notice must be provided without undue delay and, where feasible, no later than 72 hours after becoming aware of it.
- The GDPR also enhanced the existing individual rights by amending the right to request deletion of personal data (known as Right to be Forgotten) and creating a new Right to Data Portability. For example, the Rights to be Forgotten allows Data Subject to request the deletion of personal data, and in some case, to require other controllers to also comply with the request. The Right to Data Portability requires controllers to provide personal data to the data subject in a commonly used format and to transfer that data to another controller if the data subject requests.
Impact to Your Organization
New requirements around individual rights make privacy an operational issue. Some examples are: The Right to Information, Right to Access, Right to Rectification, Right to Restrict Processing, Right to Object, Right to Erasure, and Right to Data Portability.
Meeting new requirements by the upcoming deadline will necessitate stakeholders from multiple departments in your organization come together. Before deciding the best areas to invest in with new resources and technology, the team should conduct a priorities assessment. The priorities assessment will assess your current privacy posture against GDPR requirements. Then, after the risks and gaps are assessed, the team can begin to implement a prioritized list of requirements and demonstrate compliance.
How Can Alibaba Cloud Help?
We strive to providing stable, reliable, secure, and compliant cloud computing infrastructure services. From datacenters to end users, Alibaba Cloud ensures the security and privacy of data through our comprehensive security capabilities. Rigorous physical security measures safeguard our datacenters, and advanced logical security technologies prevent unauthorized access to our networks. We adopt to domestic and international information security standards, as well as industry requirements. With regular third-party evaluations and reviews from numerous certification authority agencies, we constantly improving ourselves to a higher standard.
To find out more about our security control practice, please visit our Security and Compliance Center, or you can review our latest Security Whitepaper.
At Alibaba Cloud, we are committed to protecting the personal data of our customers around the world. We comply with applicable law in the markets in which we operate our business.
How Can Our Privacy Partner TrustArc Help?
Alibaba Cloud has partnered with TrustArc for its GDPR compliance program. TrustArc offers tools and solutions through a proven methodology to evaluate readiness, build a plan, and then implement the plan for GDPR compliance. The Build, Implement & Demonstrate approach coupled with our integrated technology solution helps companies manage a sustainable GDPR program.
TrustArc can help your organization comply with areas of the GDPR, including:
- GDPR focused readiness and priorities assessments
- DPIA & PIA program design, GDPR readiness and DPIA assessments, and comprehensive platform to manage assessments
- Data flow mapping
- Vendor risk management policy design and assessments
For more information, visit www.trustarc.com/alibaba.
1. My company is not established in Europe and/or does not reside in Europe. Is my company excluded from the reach of GDPR? Why?
General Data Protection Regulation (GDPR) has extraterritorial effect, and applies to companies that reside outside of Europe, but provide goods and services to residents within the Union, or monitor behaviors that take place within the Union. This means that even if your company is not established within European Union (EU) or the European Economic Area (EEA), you should assess whether your clientele include residents within the EU or EEA. If so, you are required to comply with GDPR when you process their personal data.
Note that the definition of personal data is very broad in the Union, and include data that are not commonly perceived as personal data. Such examples include pseudonomised data and IP addresses (static and dynamic).
2. What does my company need to do to be GDPR compliant?
GDPR outlines many detailed and stringent requirements. Notably, GDPR imposes significant documentation requirements, signifying that many of the compliance requirements need to be demonstrated by written documentation. To aid your understanding, these requirements can be broadly categorized into two umbrellas: privacy hygiene, and data subject rights.
Under the umbrella of privacy hygiene, there are requirements to maintain data processing inventory, demonstrate privacy by design and by default, conduct data protection impact assessment, report data breaches to data protection authorities within 72 hours and also to the affected clients under certain circumstances, appoint a designated Data Protection Officer (exclusions apply), maintain data security, and more. Under the umbrella of data subject rights, data subjects whom data are being processed are equipped with rights to their data, and such rights include right to access, right to rectify, right to erasure, right to information, right to restrict processing, right to withdraw consent, right to data portability and many more.
Due to the complexity and the level of details contained in GDPR, it is advised that you familiarize yourself with the full text of GDPR, available here on the European Commission’s webpage.
In addition to the Regulation, Article 29 Working Party also publishes guidelines to aid the interpretation of GDPR. Even though their guidelines are not binding or decisive on GDPR interpretation, their advice carries significant weight and is a reliable guide in understand GDPR.
It is also worth noting that GDPR provides flexibility to the member states for some of its requirements, for example, in the area of employee data and data subject rights. This means that when member states introduce legislations to implement GDPR locally, there are areas where each member state may differ slightly from each other. Therefore, it is highly recommended that your company is aware of this flexibility, and understand the differences if you operate in several different member states within the EEA.
3. What assurances or enhancements in GDPR do I benefit from using Alibaba Cloud in comparison with Alibaba Cloud’s competitors?
At Alibaba Cloud, we understand the importance of international data protection standards and will help ensure security interests for countries globally are respected. We adopt industry standards and best practices to safeguard personal data and ensure our own privacy practice meet the required laws and regulation. We also closely monitoring countries policies to stay on top of all the changes that may impact us and our customers.
4. What support will Alibaba Cloud offer to its customers to achieve compliance when GDPR comes into effect?
Along with providing a compliant hosting services, Alibaba Cloud offers privacy management guidance though our partnership, with industry leading privacy risk management technology partner, that customer can access to, to maintain the highest standards of data protection and privacy. We also put ourselves in our customers’ shoes, speak from our experience to help our customers.
5. Is Alibaba Cloud GDPR compliant?
Alibaba Cloud takes compliance and our customers’ privacy very seriously. We are fully committed to becoming GDPR compliant by the effective date of 28 May 2018.
6. What concerns should I have regarding GDPR when comparing a Chinese IaaS provider to a European or American one?
When it comes to GDPR, there is no difference in terms of compliance requirements for IaaS Providers around the world. All IaaS provider providing products or services to an EU/EEA clientele are required to comply with GDPR. Therefore, you should not have any concern specifically about this.