GDPR FAQs

When do GDPR regulations go into effect?

The GDPR regulation has been in effect since April 14, 2016, however the enforcement date of the GDPR is May 25, 2018.

What is Personal Data?

Any data that can help identify an individual is personal data under GDPR. GDPR intentionally includes a very broad definition of information that could be used on its own, or in combination with other pieces of information, to identify a person. However, personal data extends beyond a person’s name or email address. Some examples include financial information, political opinions, genetic data, biometric data, IP addresses, physical address, sexual orientation, and ethnicity.

Does it matter whether you are a Controller or a Processor?

Yes, your role under the GDPR dictates your obligations and requirements. A Controller is the organization that determines the purposes and means of processing personal data. A Controller also determines the specific personal data that is collected from a data subject for processing and obtains consent. A Processor is the organization that processes the data on behalf of the Controller. Customers of OwnBackup are Controllers under GDPR  They decide what information they are legally able to collect and store, and instruct OwnBackup to backup their SaaS platform, and perform restoration, comparisons and other archiving activities on their behalf. OwnBackup is acting as a Processor by performing these and other services for its customers.

What is the EU-US Privacy Shield?

The EU-US Privacy Shield is a framework for exchanging personal data for commercial purposes between the European Union and the United States. One of its purposes is to allow US companies to receive personal data from EU organizations while ensuring the EU privacy laws that are meant to protect EU citizens are observed. Operational since August 2016, the Privacy Shield framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States for commercial purposes. The framework also brings legal clarity for businesses relying on transatlantic data transfers such as placing strong data protection obligations on companies receiving personal data from the EU, safeguards on US government access to data and forms of redress for individuals. For more information, see here (http://europa.eu/rapid/press-release_MEMO-16-2462_en.htm).

As a Data Controller, what do I need to be asking my SaaS backup Data Processors before GDPR enforcement begins May 25th?

When third parties process data on your behalf, you’re obligated to ensure they have sufficient guarantees and technical measures in place to protect the rights of the Data Subject. Consider the following areas when engaging third parties:

• How are your vendors meeting the necessary standards for data security and privacy? This includes both contractual and regulatory obligations.
• Are your vendors able to demonstrate robust privacy, data protection, and other security practices around their network and infrastructure?
• How are your vendors able to support a culture of privacy by design?
• How do your vendors help you manage your obligations as a Data Controller?

Should US and Non-European companies be concerned about GDPR?

Yes! If you are capturing and storing personal data of European Data Subjects, you must to pay attention to GDPR. Whether that data is stored in the EU or not, your company will be held liable under the GDPR requirements. In other words, if you offer goods and services to, market to, or process citizens of EU member states, capturing EU Data Subject personal information, you will be impacted by this regulation.

How do I find and access Data Subjects information that may reside in my data backups?

As Data Controllers, you’re responsible for maintaining an inventory of personal data, including the data in your archives. This can be one of the more difficult obligations of a Data Controller, particularly because you must not only furnish your Data Subject(s) with details of how their data is handled, shared, and used, but also provide notification without undue delay. Data Controllers using OwnBackup will be able to perform global personal data searches across their archives, identifying the region and attachments in which the Personal Data resides. This will be possible on-demand and within minutes.

As a Data Controller, how long do I need to keep backups for?

When you consider determining your retention period, you need to account for what category of data you have captured, your legal right to maintain it, and any regulations that would impact the retention of this data. As a Data Controller, based on your business’ risk tolerance, privacy impact assessment, and compliance obligation(s), you can decide whether it’s appropriate to retain data, for example, for 6 months or for 6 years. OwnBackup supports custom retention policies to match the length of period you need without compromising your ability to meet your regulatory data retention strategies.

As the regulatory body that will enforce GDPR, how has the Information Commissioner's Office (ICO) defined "privacy by design"?

“Privacy by design” requires that privacy and data protection controls are the common thread that has been weaved into each aspect of your technology stack from code development, to product features, to the risks of how you process data and retain data. How well these factors tie together determine your compliance with the rights and freedoms afforded EU individuals under GDPR.

What Steps did Ownbackup take to prepare for GDPR compliance themselves?

We’re using a multi-faceted approach that includes key stakeholders such as legal, security, IT, engineering, executive management, R&D, customers, and outside data privacy advisors to address our GDPR implementation. This includes raising internal employee education and awareness on data privacy as well as data handling guidance.  As the regulation recommends, and as we’ve discussed in our blog (link here), we’ve documented our data inventory, built out a data lifecycle, prepared a data classification model, performed privacy impact assessments, revised policies and procedures and implemented the necessary functionality and practices to not only exceed industry best practice but also GDPR requirements. We’ve embraced GDPR’s concept of Privacy By Design, initially developed by Ann Cavoukian, Privacy Commissioner Ontario, Canada, back in the early 90’s, and sought to include Ms. Cavoukian’s and GDPR’s perspective on the approach across our infrastructure.