What is the EU GDPR?
The EU GDPR is a consolidated legal framework intend to ensure the protection of “fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data”. It is a mandatory law requiring compliance with provisions that apply throughout the European Union to the business usage of personal data. It substituted the patchwork of existing regulations and frameworks and the 20-year-old Directive (95/46/EC).
The deadline for compliance is May 25, 2018.
The territorial scope of this new law is broader than the one of the Directive. It also imposes new obligations on organization processing data, so most organizations will have to make some changes to their privacy programs to ensure GDPR compliance:
- The scope of GDPR includes monitoring the behavior of Individuals in the EU, even if it is done by Data Controllers located outside of the EU, so the applicability is broad and encompassing. Practically every website and app tracks digital activities of its visitors in some fashion.
- The GDPR now extends the current due diligence obligations and adds potential liability to Data Processors, not just Data Controllers. Data Controllers are obligated to engage Data Processors who meet the security of data processing standards.
- At the first time, the GDPR brings out a general data breach notification standards. It is required that notice must be provided without undue delay and, where feasible, no later than 72 hours after becoming aware of it.
- The GDPR also enhanced the existing individual rights by amending the right to request deletion of personal data (known as Right to be Forgotten) and creating a new Right to Data Portability. For example, the Rights to be Forgotten allows Data Subject to request the deletion of personal data, and in some case, to require other controllers to also comply with the request. The Right to Data Portability requires controllers to provide personal data to the data subject in a commonly used format and to transfer that data to another controller if the data subject requests.
Impact to Your Organization
New requirements around individual rights make privacy an operational issue. Some examples are: The Right to Information, Right to Access, Right to Rectification, Right to Restrict Processing, Right to Object, Right to Erasure, and Right to Data Portability.
Meeting new requirements by the upcoming deadline will necessitate stakeholders from multiple departments in your organization come together. Before deciding the best areas to invest in with new resources and technology, the team should conduct a priorities assessment. The priorities assessment will assess your current privacy posture against GDPR requirements. Then, after the risks and gaps are assessed, the team can begin to implement a prioritized list of requirements and demonstrate compliance.
How Can Alibaba Cloud Help?
As part of the effort to expand customer control over the use of personal data, the GDPR introduces new data subject rights. One is the Right to be Forgotten (GDPR article 17). Alibaba Cloud provides an account deletion function, which achieves systematic account deletion.
Privacy by Design
Privacy by Design promotes privacy and data protection from the beginning. All of our newly released Alibaba Cloud products have passed through a security review and a privacy design assessment to ensure that security and privacy considerations are embedded in the product.
Alibaba Cloud has published the latest version of security whitepaper that describes our security methodology. The whitepaper covers each of the following aspects, such as security policies, organizational security, compliance, data security, access control, personnel security, physical security, infrastructure security, systems and software development and maintenance, disaster recovery and business continuity. The content provides useful guidance on how our security practice can support the requirements in Article 32 of the GDPR. In December 2018, Alibaba Cloud became the first cloud provider to attest to the additional requirements of the German C5: to demonstrate our commitment to a higher security standard. Furthermore, Alibaba Cloud has established breach notification policies and procedures, and has conducted numerous drills to ensure that the teams involved are aware of their roles and responsibilities.
Prior to preparing for the GDPR, Alibaba Cloud obtained the TRUSTe Enterprise Privacy Certification, and met the requirements of Singapore's Personal Data Protection Act (PDPA). Experience with these requirements laid a foundation for preparation for the GDPR.
In order to ensure compliance with the GDPR in the EU, in particular with the requirements of data subject rights, Alibaba Cloud carefully examined every system and data flow to ensure full coverage. The total number of modifications run over a hundred systems. We have also invested significant people and resources, whether it is external consulting firms or internal project teams, and to coordinate among different departments. The synergy between teams was significant. At the same time, Alibaba Cloud also uses a privacy platform to systematically manage and maintain privacy operations.
Alibaba Cloud is a founding member of the EU Cloud Code of Conduct and the General Assembly, which is actively involved in the formulation of a code of conduct for EU cloud services in accordance with the requirements of GDPR article 40, engages in constructive collaboration with the Data Protection department, and ensures that their expectations and future guidance for the GDPR are taken into account while drafting the code. Alibaba Cloud is committed to maintaining a high standard of data protection throughout the Alibaba Cloud ecosystem and to contribute to the healthy development of the whole technology industry. We support transparency in the cloud computing industry and help cloud customers understand how cloud service providers address data protection issues.
Since the cross-border transfer of personal data is a challenge that many global companies have to face, in the age of rapid growth in cloud service, not all EU-approved transfer tools fit the everchanging business models. The European Commission has restarted the Standard Model Contract on data processors and sub-processors from the previous work drafted by the Article 29 Working Group. Along with several other peers, Alibaba Cloud joined the task force to help create a new data transfer tool that will help industry address this challenge.
Our Work with Research
Data Portability is a hot topic, whether it is the requirement from the new General Data Protection Regulation (GDPR), or the new multi-cloud strategy that organizations are adopting in this information age. As part of the effort to expand customer control over the use of personal data, GDPR introduces new data subject rights. One is the Right to be Forgotten (GDPR Article 17). The other is the Right to Data Portability (GDPR Article 20), which requires controllers to provide personal data to the data subject in a commonly used format and to transfer that data to another controller if the data subject requests. One of the GDPR’s responses to the "Big Data" trend is to create this new data portability right. The aim is to increase the choice of online services for users. If applicable, it might even be necessary for the Controller to transfer data directly to competitors. The Right to Data Portability is concerned with the difficulties users face in switching between platforms as they almost must recreate everything when moving to new services. Most large platforms cannot interoperate, such as SaaS social media, where switching means giving up your entire social network. Some systems are designed to directly address data transfer and interoperability issues in order to support greater competition.
To improve Alibaba and the broader industry’s understanding of data portability, through our privacy program with Carnegie Mellon University, their master's degree students helped us to deliver a technical research report on data portability.
Content includes: 1) The regulatory landscape – Americas, EMEA, APEC regulations on data portability including similarities or conflict between those requirements in different jurisdictions, e.g. the EU GDPR vs the US HIPAA on portability. 2) Cloud provider policy level – From the policy and statement level, each of the major cloud service provider’s treatment of data portability. How do they compare to each other? 3) Technology level – how to achieve data portability in the cloud services? Cost vs technology involved. What are the options for each type of the organization, big companies vs. small/medium enterprises?
The report was published on the Alibaba Cloud website and as an International Association of Privacy Professionals (IAPP) news article, providing the industry a detailed background of the transferability of data required under the GDPR. The technical research in the report has attracted the interest of EU regulators, as the study could provide technical implementations and perspectives to contribute to the development of other relevant EU laws.
Partners and Ecosystem
Alibaba Group is a family that values the ecosystem. Alibaba Cloud is no exception. At Alibaba Cloud, every single thing we do takes into account the impact on the entire ecosystem. We understand the importance of international data protection standards and help ensure that the security interests of countries around the world are respected. We use industry standards and best practices to protect personal data and ensure our own privacy practices comply with the required laws and regulations. We closely monitor global policies to stay on top of changes that may affect us and our customers and eco-partners.
In addition to providing compliant cloud services, Alibaba Cloud also provides privacy management guidance through partnerships with industry-leading privacy risk management technology partners, and we also help our customers and partners by sharing our journey and experiences.
Alibaba Cloud has partnered with TrustArc for its GDPR compliance program. TrustArc offers tools and solutions through a proven methodology hosted on Alibaba Cloud, to evaluate readiness, build a plan, and then implement the plan for GDPR compliance. The Build, Implement & Demonstrate approach coupled with their integrated technology solution helps companies manage a sustainable GDPR program. For more information, visit www.trustarc.com/alibaba
1. My company is not established in Europe and/or does not reside in Europe. Is my company excluded from the reach of GDPR? Why?
General Data Protection Regulation (GDPR) has extraterritorial effect, and applies to companies that reside outside of Europe, but provide goods and services to residents within the European Union (EU), or monitor behaviors that take place within the Union. This means that even if your company is not established within the EU or the European Economic Area (EEA), you should assess whether your clientele include residents within the EU or EEA. If so, you are required to comply with GDPR when you process their personal data.
Note that the definition of personal data is very broad in the EU, and includes data that are not commonly perceived as personal data. Such examples include pseudonymized data and IP addresses (static and dynamic).
2. What does my company need to do to be GDPR compliant?
GDPR outlines many detailed and stringent requirements. Notably, GDPR imposes significant documentation requirements, signifying that many of the compliance requirements need to be demonstrated by written documentation. To aid your understanding, these requirements can be broadly categorized into two umbrellas: privacy hygiene and data subject rights.
Under the umbrella of privacy hygiene, there are requirements to maintain data processing inventory, demonstrate privacy by design and by default, conduct data protection impact assessments, report data breaches to data protection authorities within 72 hours and also to the affected clients under certain circumstances, appoint a designated Data Protection Officer (exclusions apply), maintain data security, and more. Under the umbrella of data subject rights, data subjects whose data are being processed are equipped with rights to their data, and such rights include right to access, right to rectify, right to erasure, right to information, right to restrict processing, right to withdraw consent, right to data portability and many more.
Due to the complexity and the level of details contained in GDPR, it is advised that you familiarize yourself with the full text of GDPR, available here on the European Commission’s webpage. In addition to the Regulation, Article 29 Working Party also publishes guidelines to aid the interpretation of GDPR. Even though their guidelines are not binding or decisive on GDPR interpretation, their advice carries significant weight and is a reliable guide to understand GDPR.
It is also worth noting that GDPR provides flexibility to the member states for some of its requirements, for example, in the area of employee data and data subject rights. This means that when member states introduce legislations to implement GDPR locally, there are areas where each member state may differ slightly from each other. Therefore, it is highly recommended that your company is aware of this flexibility and understand the differences if you operate in several different member states within the EEA.
3. What assurances or enhancements in GDPR do I benefit from using Alibaba Cloud in comparison with Alibaba Cloud’s competitors?
At Alibaba Cloud, we understand the importance of international data protection standards and will help ensure security interests for countries globally are respected. We adopt industry standards and best practices to safeguard personal data and ensure our own privacy practice meets the required laws and regulation. We are also closely monitoring countries policies to stay on top of all the changes that may impact us and our customers.
4. What support will Alibaba Cloud offer to its customers to achieve compliance when GDPR comes into effect?
Along with providing compliant hosting services, Alibaba Cloud offers privacy management guidance. Through our partnership with industry leading privacy risk management technology partners, customers can access this guidance to maintain the highest standards of data protection and privacy. We also put ourselves in our customers’ shoes, sharing our experience to help our customers.
5. Is Alibaba Cloud GDPR compliant?
Alibaba Cloud takes compliance and our customers’ privacy very seriously. We are GDPR compliant by the effective date of 25 May 2018.
6. What concerns should I have regarding GDPR when comparing a Chinese IaaS provider to a European or American one?
When it comes to GDPR, there is no difference in terms of compliance requirements for IaaS Providers around the world. All IaaS providers providing products or services to an EU/EEA clientele are required to comply with GDPR.
Clarification on Compliance for Customers
1. Buying a compliant product or service does not make an organization compliant.
GDPR is a regulation that needs to be complied with by each individual organization like many other laws and regulations. Using cloud products and services that comply with the GDPR does not guarantee an organization is compliant. The compliant product alone cannot satisfy all privacy requirements. For example, many requirements under GDPR require action by each organization, such as the Data Protection Impact Assessment (DPIA), data breach reporting to the Data Protection Authorities (DPA) within 72 hours, reporting to affected customers under specific circumstances, appointing a Data Protection Officer (DPO), etc. None of these can be resolved by the compliant product alone, as they require support of the organization's internal operations. When using Alibaba Cloud, customers can be assured that Alibaba Cloud is compliant, but it is limited to the cloud platform used by customers. Customers themselves, especially those that are in personal data related industries (retail, telecommunications, travel, etc.) should be very careful when considering their own data protection practice and requirements.
2. Alibaba Cloud complies with the GDPR. This does not mean that Alibaba Cloud customers directly comply with the GDPR. Customers need to design product and processes, manage, perform an in-depth review and corresponding rectification, and establish a privacy system in order to meet the GDPR compliance requirements.
Under the GDPR, the new requirements around individual rights make privacy an operational issue. Some examples are: The Right to Information, Right to Access, Right to Rectification, Right to Restrict Processing, Right to Object, Right to Erasure, and Right to Data Portability. The GDPR also enhances existing individual rights by amending the right to request deletion of personal data (known as Right to be Forgotten) and creates a new Right to Data Portability. For example, the Rights to be Forgotten allows the data subject to request the deletion of personal data, and in some case, to require other controllers to also comply with the request. The Right to Data Portability requires controllers to provide personal data to the data subject in a commonly used format and to transfer that data to another controller if the data subject requests. The above example explains that even when Alibaba Cloud complies with the GDPR, it does not mean that the customers directly comply with the GDPR. Customers need to design product and process, manage, perform an in-depth review and corresponding rectification, and establish a privacy system in order to meet the compliance requirements. From a risk point of view, it is essential for an organization to protect personal data throughout its entire lifecycle, and also to have the ability to support the rights of the data subject in order to comply.
3. Complying with the GDPR is not a “security only” work, nor a simple “legal work”; it is a reflection of an organization’s management maturity level.
"You can achieve security without privacy, but you can’t achieve privacy without security." Therefore, complying with the GDPR is not a “security only” work, nor a simple “legal work”. It is also not something that a single person or department can achieve alone. It requires the awareness, support, maintenance, and interaction of each department. It is this synergy that reflects an organization’s management maturity level.