I’m sure you will already be aware of the GDPR - the comprehensive reform of European Union (EU) privacy law which comes into force on 25 May 2018.
At Brightbox we have been working on updating our policies and procedures in readiness for GDPR and I thought it would be useful to give a quick overview, explain what we’re planning and hopefully answer any questions that you may have.
The General Data Protection Regulation is the new EU data privacy law which harmonises data protection regulation across the 27 member states, with the intention of increasing transparency and strengthening the data privacy rights of EU residents.
The GDPR becomes enforceable from 25 May 2018 and applies to any organisation that controls and processes the personal data of EU residents.
“Personal data” is broadly defined within the GDPR, but in general it can be thought of as any data that can be used to personally identify an individual.
The GDPR applies to any person or organisation that provides goods or services to EU residents or is otherwise involved with the processing of their personal data, regardless of whether the organisation itself is based within the EU.
The GDPR (and the data protection act before it) clearly defines two main types of organisation involved in data processing:
According to the definitions above, Brightbox is both a “data controller” and a “data processor”.
Brightbox is a data controller in the context of handling our own customers’ personal data (account information, billing details etc) and is required to ensure that our handling of this data complies with the requirements of the GDPR.
Brightbox is a data processor in the context of providing cloud infrastructure services to our customers (themselves data controllers) who may use our services to process personal data that they control. Article 28 of the GDPR places responsibility on data controllers to only use processors (e.g. cloud providers) that can provide “sufficient guarantees” that they will meet the requirements of the GDPR, and this must be backed up with a legally binding agreement.
To assist with this requirement, we will be providing a new Data Processing Agreement which will provide customers with the relevant assurances and information.
In March 2019, the UK will formally leave the European Union (known as “brexit”). We don’t anticipate any major impact on our compliance with GDPR, for the following reasons:
Over the next couple of weeks, we will provide:
In the meantime, if you have any questions about GDPR, please do get in touch and we’ll be happy to help.