INTRODUCTION
The General Data Protection Regulation (GDPR) is the replacement for the EU Data Protection Directive 95/46/EC. This significant piece of European privacy legislation strengthens the rights that EU individuals have over their data and creates a uniform data protection law across Europe.
Core principles such as the “accountability principle”, “privacy by design” and other key changes which have been introduced will define how internal policies and controls must be implemented and enacted to responsibly and comprehensively protect the privacy of personal data of EU citizens.
The GDPR will become enforceable on May 25th of 2018. Every organization processing personal data of EU citizens is required to uphold compliance with this new regulation prior to the enforcement date.
DEFINITIONS
Personal Data means any information relating to an identified or identifiable natural person (“data subject”), including any data that can be used with other sets of data to identify an individual.
Processing means any operation carried out on personal data regardless of whether it is by automated means, including paper-based systems and related processes.
Data Subject means any individual who can be identified, directly or indirectly, by identifiers such as name, identification number, location data, email address, or by factors specific to the physical, physiological, genetic, mental, economic, cultural or social identify of that person.
Data Controller means those who determine the purpose and manner by which personal data is to be processed.
Data Processor means those who obtain, hold, and process data on behalf of a data controller.
YOUR GDPR RESPONSIBILITIES
When using our services to store or process your personal data, including that of your customers or users, you are the Data Controller and we are a Data Processor.
You must ensure that any services you use to process personal data are doing so in compliance with the GDPR. This means that when you use any of our services to process your personal data you need to ensure certain contractual terms are in place.
This statement is our commitment to help you meet these GDPR regulatory obligations.
WE HELP YOU TO COMPLY WITH GDPR
Our approach to compliance also helps you to comply. We provide this statement to explain our activities and to assure you that by using our services your data is being handled in a GDPR-compliant fashion.
Furthermore, if required, we will assist you or the Information Commissioner’s Office with any query relating to the GDPR compliance of our services.
DATA PROTECTION CONTACT
If you want to exercise your data subject rights please contact dp@cloudstack.co.uk . Questions, queries or requests for further information regarding our GDPR compliance should be sent to dp@cloudstack.co.uk .
OUR GDPR COMMITMENT
As a specialist in data protection and security, CloudStack is already familiar with ensuring our business, services and internal processes are compliant with the applicable laws and guidlines.
We employ consultants to evaluate our services and advise us about the impact and changes required for compliance with regulations such as the GDPR. These assessments inform our roadmap to prioritize and eliminate any gaps with direct or compensating controls.
As a service provider, we value the need for data protection and consider this an integral part of our everyday business. Our compliance team has carefully analyzed our role and obligations to achieve and maintain GDPR compliance. CloudStack is committed to diligently address and comply with EU data protection requirements with a focus on customer confidence and trust.
How we’ve been preparing for GDPR:
- CloudStack staff are being specifically trained to understand their roles and responsibility in the organizational requirement for data protection compliance when processing your personal data.
- We’re updating policies and controls to comply with any changes in regulation by employing compliance experts to identify the areas in which personal data is processed internally or using external third-party services.
- Making changes to our policies and by delegating the appropriate responsibilities for data protection within the organization for continual awareness and exercise of best practices.
- Through ongoing audits to systems, processes and services to maintain compliance and enforce the privacy and security of processed personal data.
How we’re ready for GDPR:
- The services we offer to our customers in addition to our own internal policies and procedures are continually assessed for compliance with applicable laws and regulations.
- Appropriate technical and personnel protocols are in place to ensure the security of your data.
- Due diligence is exercised when selecting any sub-processors or other third-party processors for any handling of personal data.
OUR ROLE AS A DATA CONTROLLER
Personal data will be processed in order to provide our service. This means that we will store and use this information for (at minimum) account management purposes. We may also contact you by telephone and email as part of our sales, marketing, and support activities. You can opt out by contacting our support team.
Processing of your data will only be done where necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subjects which require protection of personal data, in particular where the data subject is a child.
The categories of recipients of the personal data are as follows:
- Third parties who are Data Processors on behalf of CloudStack, such as hosting provider(s).
- Tools used internally by staff within our organisation, such as billing or trouble ticket system(s).
If data shared with third parties outside of the EU, it is only done with processors who follow the guidelines outlined in the GDPR. A list of the processors we use can be found and will be updated when there are any additions or changes to those processors.
Personal data is stored for the duration of our service, can be removed or amended upon request by contacting our support team, and consent to process can be withdrawn at any time.
The personal data we request is not a statutory or contractual requirement. However, it is necessary we collect some basic details in order to create an account or use CloudStack’s services. We may use information such as frequency and destination of visits to our websites to send advice or marketing information to our users, including automated decision making.
We also use anonymised data in aggregate for the purpose of better understanding how our software is used. We may also use this anonymised information in our publications such as marketing literature.
OUR ROLE AS A DATA PROCESSOR
When using our service to store data, you are the Data Controller and CloudStack is the Data Processor. The data you store on our services is not accessed by or used for any processing of our own, and any processing (as a Data Processor) is only in terms of the services we provide to you.
Access to your data by third parties will not be granted unless required to do so by law. Where law enforcement or other authorized parties might request access to our servers, we follow strict internal policies for dealing with such requests according to existing law. Furthermore, any third parties are required to demonstrate they have a lawful reason to access the data and under what authority.
OUR SUBPROCESSORS
In some cases, CloudStack uses subprocessors to assist in providing services to our customers. Our subprocessors are also taking steps to comply with the GDPR. In such engagements, CloudStack undertakes to use a commercially reasonable selection process to evaluate the security, privacy, and confidentiality of any third party subprocessor that will or may have access to personal data we control or process.
OUR SECURITY
The facilities we host our services from have multiple security safeguards and controls in place, including:
- Tier 4 UK data centres
- Manned by trained staff 24 hours per day, 365 days per year
- CCTV security cameras monitoring access points and perimeter
- Controlled entrances using electronic access card systems
- Access remotely monitored by 3rd party security company
- Entrances are secured with interlocking doors
- ISO 27001 data centre
Maintaining security
Employees with a responsibility to personal data security will be trained in the necessary technical aspects required to support the ongoing compliance and protection of our systems. We may also perform the security maintenance of our customer’s own servers or hosted applications if an agreement for these services is in place with our customers.
When performing security updates, this is done with strict attention to the protection and privacy of data and where appropriate, in discussion with our customers.
Access to servers
Administrative access to our services is restricted to key personnel on our team. We only access servers to resolve issues or perform specific maintenance as required to meet our service level obligations.
The staff at our hosting facilities have physical access to the servers. There are strict protocols in place to limit that access to those operations required and requested from an authorized member of our team in order to facilitate maintenance such as visual inspection of the server area or to perform hardware maintenance on the server itself.
OUR EMPLOYEES
All employees will be trained and made aware of their responsibilities under GDPR. This includes their responsibilities with regards to protecting or processing any personal data for which we are the Data Controller or where we are a Data Processor. Security and data governance is promoted internally through training sessions, in our employee handbooks, and as a routine discussion point.
DATA BREACHES
In the unlikely event of a breach occurring (as defined in the GDPR) we will notify you within 72 hours of the breach coming to our attention. This will be enough time for you to consider your requirements, under GDPR, for reporting the breach to the ICO and Data Subjects.
DATA LOCATION
All data in held in Tier 4 UK data Centres. Where your data is stored on our own servers, it is stored on our own server hardware co-located at an accredited and certified facility. Our providers are audited to strict standards, such as (but not limited to) ISO 27001 and SOC. None of your data is stored or transferred outside the location you selected without your instruction or consent.
DATA PRIVACY
When your data is sent to our servers, it uses industry-standard AES-256 encryption for both data transmission and storage. When properly configured, encryption is performed before it is transferred to our facilities. Once stored on our servers, data is again written in encrypted form to restrict and limit access. Encryption keys are not shared or reused between customers to further minimize the capacity for compromise by any single key.
DATA RECTIFICATION
If the data being protected has changed at the source, these updates or other modifications are replicated to our servers during the next period of scheduled backup activity. Any corrections or amendments will be reflected automatically in the next recovery point.
DATA ERASURE
Aging recovery points or backup sets can be automatically deleted after a certain amount of time. Our retention policy configuration provides you with the controls needed to ensure data is not being kept for longer than is necessary, whether for regulatory purposes or if required by choice or law.
FIND OUT MORE
Please contact us if you’d like further information about using CloudStack solutions to support compliance with the GDPR for your business or customers.
Contact Us
This material has been prepared for informational purposes only. It is not intended to be and should not be considered legal advice. Transmission of the information is not intended to create, and receipt does not constitute, a binding agreement or relationship. No warranty is provided for the information or views contained in this report. CloudStack.co.uk shall not be responsible to any person arising from or in connection with any use, or misuse, or reproduction of this report.