With the onset of GDPR (General Data Protection Regulation) in May 2018, data protection requirements will become more stringent. The responsibilities placed on an organisation relating to the data it holds will be two-fold:
- As a data controller (where the organisation enters and maintains personal data), the organisation must comply with rules concerning consent, access and transferability
- As a data processor [where the organisation holds data on its own servers] it must follow regulation by ensuring high level cyber security, physical hardware security, strict backup regimes, firewalls and auditing. For example, a data processor is responsible for monitoring the access to the physical equipment on which the data sits, and the route the data takes to be processed. A good way of doing this is to produce an access control policy, which clearly sets out roles and rights of staff members, only allowing staff with sufficient rights the ability to access system
What’s an organisation to do? The answer is to either remain a full data processor – with the responsibilities that come with that – or to outsource all its IT. An example of the latter is outsourcing to a hosted desktop provider that is accredited under ISO 27001, as it will already have policies and procedures in place which will cover the requirements of a data processor under GDPR.
Security tools previously only affordable by large organisations can be deployed for use by SMEs – affordable now because the costs are shared among users of the outsourcing company’s secure data centre. Services include robust firewalls, enterprise quality antivirus and web filtering, optional encryption of sent emails and management of all access devices [smartphones/tablets/laptops/desktops or thin clients] used by staff.
Outsourcing the storage, backups, security and processing of data to a company that complies with strict data protection regulations will ease the processing responsibility; “ease” because the organisation will still need to make sure that paper copies aren’t left lying around and that staff are given adequate authorisation to manage access to the data. However, the bulk of an organisation’s responsibility under GDPR’s data processor requirements can be safely left in the hands of the professionals at the outsourcing company.
Hybrid solutions, whereby an external IT company manages in-house equipment, can also work, but in such instances one needs to be particularly careful to use a very reputable IT company. For a hybrid IT solution, using the wrong kind of support company may hinder rather than help.
Let’s consider the following two scenarios: (i) the data storage is remote but the processing local (i.e. on the organisation's own servers). In this case, the organisation will still be considered a processor (ii) the organisation brings in an IT provider to manage the servers, but the servers are owned by the organisation. In this case, the organisation will still have the responsibilities of a processor. IT providers cannot typically take responsibility that the personal data customers hold is GDPR compliant and therefore the organisation must ensure that the data held complies with the rules.
However, when it comes to processing responsibilities, the burden of compliance will fall somewhere between the organisation and its IT provider. What an organisation must ensure is that it is working in perfect synergy with its IT provider in setting out the GDPR processing responsibilities. They need joint access policies, joint security policies and so on.
In summary, outsourcing all of the IT can greatly simplify the GDPR management process, while a hybrid solution can be GDPR compliant, but the organisation must be extremely diligent as to which IT vendor it chooses as a partner to ensure that nothing is falling between the proverbial cracks of GDPR’s processing and procedures.