General Data Protection Regulation Explained
The European Union’s General Data Protection Regulation (GDPR) comes into effect on May 25, 2018, and it’s going to affect every business operating in the EU or dealing with EU customers. The new regulation replaces the outdated European Data Protection Directive that was adopted in 1995 and is designed to harmonize data privacy laws across the EU member states, protecting EU citizens’ personal data.
Acronis is committed to full GDPR compliance — both as a company dealing with EU customers and as a vendor providing data protection technology to other businesses that are subject to GDPR regulation. Acronis Products and Services provide everything needed to perform personal data processing in accordance with the new regulations.
Key terms and definitions
Before we take a closer look at what the new regulations entail and how Acronis can help your business to become GDPR compliant, let’s review some key terms and definitions used in the new directive. At this stage it’s also appropriate to point out that this blog post does not constitute a legal advice and is intended, and should be used, for general information purposes only.
- Controller — “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” This may be you, the business operating in the EU and dealing with EU customers.
- Processor — “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” This is a cloud service provider and/or data protection vendor such as Acronis.
- Personal data — “any information relating to an identified or identifiable natural person.” This is the focal point and the reason for the entire GDPR.
- Data subject — the person identifiable by the personal data. These are the people who may ask you to reveal, edit or delete the personal information that you store about them on your servers. You will have to answer every request in a timely manner or risk hefty fines.
- Right to be forgotten —data subjects have “the right to have his or her personal data erased and no longer processed.”
- People may request that you delete all of their personal data stored on your servers. Your business may also be subject to certain backup retention policies for archiving and legal purposes. Please refer to our dedicated blogpost on this topic: https://www.acronis.com/en-us/blog/posts/backups-and-gdpr-right-be-forgotten-recommendations.
- Personal data breach — “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” You will have to report data breach incidents to “the supervisory authority” within 72 hours after becoming aware of it.
- Service contract — a service agreement between controller and processor.
- Data Protection Officer (DPO) — a new position in your company who will be responsible for all issues related to the protection of personal data.
Key requirements of GDPR
The GDPR requires any business operating in the EU or foreign business dealing with EU customers to store or process personal data within the European borders (unless there is a lawful basis for data transfer outside of the EU).
Personal data can only be kept for as long as it is required for the initial purpose and must be protected in accordance with the new rules. Both the controller and the processor are required to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk,” including data encryption or pseudonymisation (“the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.”)
The GDPR focuses on the concept of accountability whereby businesses will have to "demonstrate" compliance with the principles relating to the principles of personal data. This will involve implementing more demonstrable processes and maintaining a proactive approach.
Dealing with your cloud storage and data protection vendor
The GDPR impose new security and contractual requirements on organizations (controllers) dealing with cloud service providers and data protection vendors such as Acronis (processors).
The relationship between controllers and processors can be summarised by the following points:
- Cloud service providers have to offer sufficient guarantee that the service meets technical and organizational requirements of the new regulation.
- Service contracts between the controller and the processor prohibit the use of subcontractors without the consent of the controller.
- On termination of the service contract, all data must be removed from the cloud and the processor must provide sufficient proof that it has been done.
- Controllers have a duty to report data breach incidents to the regulatory body.
How can Acronis help your company to become GDPR compliant?
- Control of data storage location. Acronis data protection solutions are built on top of the Acronis hybrid cloud architecture which allows you to control where your data is stored. On-premises or in a specific European-based datacentre, you have the final say in what to do with the protected data.
- Data encryption. Acronis offers strong data encryption on-device, in transit and in the cloud. The entire process is automated, and the user holds the key, meeting GDPR data security requirements.
- Ability to search data inside backups. Acronis allows to drill down through backups, making it easy for users to find the required information.
- Ability to modify personal data. Acronis offers an easy way to modify personal data if and when requested by data subjects.
- Data export in a common format. Acronis technology allows data export in a common and easily usable format (e.g., ZIP archive) to meet the GDPR data portability requirements.
- Quick data recovery. Acronis has the world’s fastest data recovery technology. Things like Acronis Instant Restore™ allows users to achieve RTOs of 15 seconds or less by starting your Windows or Linux backup directly from storage as a VMware or Hyper-V VM; no data movement required.
- Active protection against ransomware. Taking preventative measures is easier and more cost effective than going through with mandatory reporting of every data breach incident. Acronis Active Protection™ detects and blocks ransomware attacks and instantly restores any affected data.
- Blockchain-based data certification. With the help of Acronis Notary™, protected data can be easily certified with the help of blockchain-based technology to provide immutable proof of data integrity.
Try Acronis data protection solutions today and see for yourself how easy it is to gain GDPR compliance with the right technology.
Acronis hybrid cloud architecture, full control over the protected data, data encryption, reporting, anti-ransomware, and notary for backup integrity, make Acronis a perfect partner for your data protection and GDPR compliance needs.