On 25th May 2018 a new directive will come into force throughout the EU, including in the UK, called the General Data Protection Regulation (GDPR). The GDPR changes the requirements for organisations in the way they handle personal data. It replaces the existing Data Protection Directive (1995).
Very soon we will be issuing updated Terms and Conditions to ensure compliance with this new directive and we wanted to provide you with advance notice of these changes, since at that point you must act to avoid disruption to your services.
After these are issued, and when you login to your GURU Portal, you will be asked to agree to the updated Terms and Conditions. Only your account holder can do this, or a user which has full account permissions granted by the account holder.
To help understand the changes, we have prepared a brief FAQ.
The UK is leaving the EU, does this GDPR still apply?
Yes - the British government has made it clear that the GDPR will be implemented in full, regardless of Brexit, to ensure the continued alignment of EU and British law on data protection.
What are GURU Cloud doing to ensure compliance?
We have been actively preparing for the regulations for almost 12 months. As always, we will continue to consider industry best practices relating to security and processes when providing your service and we have been working closely with our partners to help ensure they are also compliant. We will also be introducing updates to our Terms and Conditions, as well as a new Data Processing Policy. These updates will ensure that services we provide to you can continue uninterrupted after 25th May 2018.
Why are these changed needed now?
The new agreements must be in place before the 25th May 2018 to ensure that when the directive comes into force, services provided are compliant.
Do I need to be GDPR compliant?
Almost certainly yes. The GDPR applies to personal data collected, held or processed. The following excerpt is from the Information Commissioners Office (ICO) definition of personal data:
"The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. … The GDPR applies to both automated personal data and to manual filing systems"
If GURU Cloud are compliant, does that cover me?
No. The GDPR requires you to ensure your own compliance.
I am PCI compliant, is this sufficient?
No, the GDPR is very different to PCI. PCI mandates strict technical measures required for payment processing. While PCI compliance may help on the road to GDPR compliance, the GDPR is technology agnostic and focuses far more broadly on the protection of personal data collected, held and processed.
Can you help me with my GDPR compliance?
If you have any specific questions regarding your service, which you need answers to when assessing your own compliance, we are here to help if we can but we cannot offer formal GDPR advice.
Compliance is something your organisation must undertake itself.
What do I need to do?
You may need to update your own Terms with your suppliers or customers, along with your processes and procedures together with other software and systems you may use. We cannot provide advice on this and we strongly recommend you engage your own legal representatives or GDPR specialists to ensure your own compliance with the GDPR.
Where can I read more?
The UK's Information Commissioners Office (ICO) is a good place to start: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
Further reading can be found on the EU GDPR website: https://www.eugdpr.org/
GURU Cloud Team
Thursday, April 19, 2018