General Data Protection Regulation
On 25 May 2018, the European data protection legislation will be updated. The EU General Data Protection Regulation (GDPR) replaces the existing 1995 EU Data Protection Directive. GDPR strengthens the rights that individuals over their personal data and seeks to harmonise the data protection laws across Europe, regardless of where the data is processed. Skyron is committed to GDPR compliance, whether it is:
- providing our clients with a hosting environment that is GDPR compliant.
- delivering applications that are built to OWASP standards.
- processing data in a legally compliant manner.
- capturing data on behalf our clients in an explicit manner.
We are also committed to helping our customers comply with the GDPR by providing stringent privacy and security protections in our services and contracts. Below are some points for you to consider:
Am I a "data controller"?
Yes, Skyron customers will typically act as the "data controller" for any personal data they provided in connection with their use of our services.
That means that they determine the purpose and means of processing personal data, while the data processor processes data on behalf of the data controller.
That said, in some cases, where we have built Software as a Service (SaaS) offerings for our clients, they will be "data processor".
Are we a "data processor"?
Yes, we are typically a "data processor". We process personal data on behalf of the "data controller" when they use our systems or services.
That said, in some cases, where we have built Software as a Service (SaaS) offerings for our clients, they will be a "data processor" and we will be a sub-data processor".
What’s the relationship between the two?
Data controllers and data processors are collectively responsible for implementing appropriate legal, technical and organisational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR.
Their obligations arise from the data protection principles which require lawfulness, fairness and transparency, purpose limitation, data minimisation, and accuracy, as well as fulfilling data subjects' rights with respect to their data.
Typically, Skyron's customers will provide the legal construct and then work with Skyron to ensure that Skyron's organisational measures undertaken are commensurate with the legal requirements. The same is true from a technical perspective, Skyron will take responsibility to ensure those aspects meet the legal construct.
If you are a data controller, you will find guidance on your responsibilities under GDPR by regularly checking the website of the national or lead data protection authority. For the UK, this is the Information Commissioner’s Office at ico.org.uk.
You should also seek independent legal advice relating to your status and obligations under the GDPR, for legal advice specifically tailored to your situation. Please bear in mind that nothing on this website is intended to provide you with, or should be used as a substitute for, such legal advice.
Where should you start?
- Understand the overview the GDPR, especially the changes that it will make to your current data protection obligations and business
- Create an updated inventory of personal data that you handle. If you need any assistance, please do ask us.
- Review your current controls, policies, and processes to assess whether they meet the requirements of the GDPR. If not, build a plan to address any areas that need amending.
- Monitor updated regulatory guidance as it becomes available.
- Consult a lawyer to obtain legal advice specifically applicable to your business circumstances so that we can work together to get the right agreements in place.
- Work with us to make sure that your websites collect data correctly with the right opt-ins and legal terms.
- Understand what changes we need to have in place from a database perspective to ensure encryption and security levels.
- Know what intruder detection and log audit software we are running, if you host with us.
Skyron's commitments to the GDPR
Alongside other duties, "data controllers" are required only to use "data processors" that provide adequate guarantees as to appropriate technical and organisational measures so that data processing will meet the requirements of the GDPR.
Here are some aspects you may wish to consider when conducting your assessment of us with respect to GDPR:
- EXPERT KNOWLEDGE - We employ and work with security and privacy professionals to maintain our systems, develop security review processes, build security infrastructure, and implement security policies.
- OUR POLICIES - our data processing agreements clearly set out our privacy commitments to customers. All new agreements reflect the GDPR, and available in now ahead of GDPR coming into force to help facilitate our customers' compliance assessment and GDPR readiness.
- FUNCTIONALITY - Our hosting facilities have all of the necessary functionality for compliance with the GDPR – not least because they are based in the United Kingdom. In addition, the method we use for deletion and retention of data is acceptable under the GDPR. This verifies to our customers they are using software that is going to keep them compliant when 25 May 2018 comes around. We use high levels of intruder detection and log audit software.
- DATA PROCESSING - We promise to continue to keep a high level of security and will ensure timely breach reporting to meet all GDPR expectations. To help us with this, we access a number of security features through our hosting partners, Secura and Rackspace including CloudFlare, IDS and Log storage. Our security practices also include breach detection and timely notification and then recovery. We've purchased this protection on behalf of all of our customers. It is though incumbent upon each "data controller" to ensure that its "data processors" have the right infrastructure in place to process personal data.
- PROCESSING ACCORDING TO INSTRUCTIONS - Any data that a customer and its users put into our systems will only be processed in accordance with the customer's instructions.
- USE OF SUBPROCESSORS - We directly conduct all data processing activities required to provide its services other than storage. Its hosting partners, Rackspace and Secura, who stores the data for us, hold all the necessary and expected security accreditations.
- DATA RETURN & DELETION - Where your app's features do not include automatic deletion of data or a right to forget, our helpdesk will delete and/or export (return) data at any time during the term of our service agreement.
- DATA CONTROLLERS - How we assist data controllers:
- Data Subject's Rights - We can provide an export of customer data, at any time during the term of the agreement.
- Data Protection Officer - Our Software Data Protection Officer is Mark Jacobs. Any questions can be directed to him regarding data protection concerns.
- Incident Notifications - We will provide contractual commitments around incident notification. We will continue to promptly inform you of incidents involving your customer data in line with the data incident terms in our current agreements and the updated terms that will apply from 25 May 2018, when the GDPR comes into force.
- Certifications - Our customers and regulators expect independent verification of security, privacy, and compliance controls.