Introduction
GDPR(General Data Protection Regulation) impacts on service providers seems to be a very popular topic. I have published two shows, one explains What is GDPR? and the other about Privacy By Design principles. The idea behind this series is to bring awareness about GDPR and this show focuses on service providers, as they seem to be very confused when it comes to GDPR compliance. They are getting questions from their customers and are not sure how to respond.
Types of Service Providers
There are three types of service providers
- IaaS: Infrastructure as a Service
- PaaS: Platform as a Service
- SaaS: Software as a Service
Roles
For each of the Service Provider types above, following roles can be assumed:
- Role A: Storing info about EU citizens as a result of providing the service.
- Role B: Storing info about EU citizens as they are your employees.
- Role C: A regular service provider role, as in providing services to customers who might be handling EU resident data.
How am I impacted?
If you are a service provider assuming Roles A & B, you have to comply with GDPR Compliance. Service providers assuming Role C will be impacted depending on what king of service they are providing. If they are providing:
- IaaS: This type of service providers will have not be directly impacted as a result of GDPR. The customer consuming the service will have to ensure that the service provider is engaged in all processes that involve GDPR data. For instance when it comes to data backups, the service provider does not know the exact location of the data, hence has no idea which backup has what data. The customer will have to provide instructions to the service provider on which backup’s to destroy and provide a confirmation that the activity was indeed completed. The customer is purely responsible for GDPR compliance. The customer is the Data Processor & Data Controller.
- PaaS: In this scenario, the platform has to be designed as per “privacy by design” principles to ensure all GDPR requirements are addressable such as data locations, data export format, retention, backups, etc. The customer is responsible for ensuring that the platform they select is GDPR compliant. The service provider is the Data Processor and customer Data Controller.
- SaaS: In this scenario, the software has to be designed as per “privacy by design” principles to ensure all GDPR requirements are met. The software should be able to address following Rights of the Data Subject, Consent, Access, Deletion, Modification, Portability, not to be subject to automatic data profiling. As far as Breach notification goes, Data Processor will immediately notify Data Controller, and the Data Controller will notify the authorities and Data Subjects of the breach within 72 hours
Conclusion
The bottom line is that a service provider has to ensure the products they offer in the market are GDPR compliant and are designed as per “privacy by design” principles. There is no GDPR compliance or certificate that a independent 3rd party issues. It will only become an issue when a breach is reported. Furthermore, it might be easy for GDPR regulator to enforce it within EU, but it is a totally different story how it will be enforced or enacted outside of EU jurisdiction.