General Data Protection Regulation (GDPR)


CM Security GmbH's guide to the European data protection rules



Overview of the new privacy laws and best practices

Since May 25th, 2018, the  General Data Protection Regulation (GDPR) is into effect, opening a new era of data protection and privacy for everyone. While you've certainly heard and read a lot of information about GDPR, it can be difficult to understand exactly what it means for your business, in practical terms, and what you should do to be compliant with the new rules.

At CM Security GmbH, we are committed to follow best practices in terms security and privacy. We strive to provide the same level of protection to all users and customers, without distinction on their location or citizenship. And we apply those best practices for all data, not just personal data.

CM Security GmbH and its subsidiaries are compliant with GDPR.

A. What you need to know about GDPR

The best way to understand GDPR is to  Read the Official text .  It's a bit long (99 articles over 88 pages), but quite readable for non-experts. It is an EU Regulation, that aims to harmonize and modernize existing privacy legislation, such as the EU Data Privacy Directive that it replaces. It lays down rules for the protection of natural persons with regard to the processing of their personal data, and the free flow of personal data within Europe. It is a Regulation, not a Directive, therefore applicable immediately in all EU member states, without requiring transposition into the domestic law of each country. EU countries have a limited margin of interpretation for the finer points, but fundamental rules will be the same for everyone, everywhere in EU. GDPR also brings the legislation to the next millennium, taking into account social media, cloud computing, cybercrime and the major challenges that they cause in terms of personal data privacy and security. GDPR is not a world-breaking new legislation, and it is fundamentally a good thing for citizens and businesses.

We want to emphasize that GDPR can be great for you and your customers. Complying to the GDPR may initially represent a lot of work, but there are upsides to the new rules:

- Increased trust from your customers and users

- Simplification: same rules are applied in all countries across EU

- Rationalization and centralization of your organizational processes

The purpose of GDPR is to give individuals more oversight on their personal data. If your company puts in place the correct strategies and systems, it will be easier to manage, more secure and safer for the years to come.

What are the risks if you aren't compliant?

The maximum penalty for non-compliance is an administrative fine of 20 million euros, or 4% of your global annual turnover, whichever is higher. A smaller maximum of 10 million euros or 2% of your global annual turnover is applicable for lesser infringements. These maximums are meant to be dissuasive for businesses of all sizes, but GDPR also requires the fines to be kept proportionate. Supervisory authorities (also known as Data Protection Authorities: DPAs) must take into account the circumstances of each case, including the nature, gravity, and duration of the infringement. These DPAs are also granted powers to investigate and impose corrective actions, which include the limitation of the infringing activities, without necessarily imposing a fine. Another risk if you do not comply is the loss of trust from your customers and prospects, who care about the way you process their data! Finally, many DPAs have hinted that they won't impose fines in 2018 yet, but they expect businesses to demonstrate that they are working towards compliance.

Key principles of GDPR

Scope

The regulation applies to any processing of personal data by any organization:

  1. If the controlling or processing organization is located in the EU
  2. If the organization is not located in the EU, but the processing involves personal data of data subjects located in the EU, and is related to commercial offerings or behaviour monitoring.

The scope therefore includes non-EU companies, which was not the case with older legislation.

Roles

The regulation distinguishes two main types of entities:

  • Data controller: any entity who determines the purposes and means of the processing of personal data, alone or jointly. As a general rule, every organization is a controller for its own data.
  • Data processor : any entity who processes data on behalf of a data controller.

        For example, if your company owns a database hosted on the CM Security Cloud, you are the controller for that database, and CM Security is only a data processor. If you instead use CM Security on premise, you are both controller and processor of the data.

Personal Data

GDPR gives a broad definition of personal data: any information relating to an identified or identifiable natural person. An identifiable person is one that can be identified, directly or indirectly, by means of their names, emails, phone numbers, biometric information, location data, financial data, etc. Online identifiers (IP addresses, device IDs, …) are also in scope.

This applies in business contexts too: info@cm-security.comis not considered personal, but john.smith@cm-security.com is, because it can be used to identify a physical person within a company.

GDPR also requires a higher level of protection for sensitive data, which includes specific categories of personal data such as health, genetic, racial or religion information.


Data Processing Principles

In order to be compliant, processing activities must observe the following rules: (as listed in Article 5 of GDPR)

1. Lawfulness, fairness and transparency: to collect data, you must have a legal basis, a clear purpose, and you must inform the subject about it.  Have a simple and clear Privacy Policy, and refer to it everywhere you collect data.  Verify the legal basis for each of your data processing activities

2. Purpose limitation: once collected for a purpose, request permission if you want to use it for a different purpose. e.g. - You can't decide to sell your customer data if it was not collected for that purpose.

3. Minimisation: you must only collect the data necessary for your purpose.

4.  Accuracy: reasonable steps should be taken to make sure that data is kept updated, with regard to the purpose e.g. - Be sure to handle bounced emails, and correct or delete the addresses.

5. Storage limitation: personal data should only be kept for the duration needed to fulfil its primary purpose.  Define time limits for erasure or review of the personal data you process, depending on their purpose.

6. Integrity and Confidentiality: data processors must implement appropriate access control, security and data loss prevention measures, in accordance with the types and extents of data being processed.  e.g. - Make sure your backup system is working, have proper security controls in place, use encryption to protect sensitive data such as passwords.

7. Accountability: data controllers are responsible for, and must be able to demonstrate compliance with all above processing principles. Establish and maintain a data mapping reference for your organization, describing the compliance of your processing activities.  Inform your customers via a clear Privacy Policy.

Legal Basis

In order to be lawful under GDPR (first principle), processing of personal data must be based on one of six possible legal bases, as listed in Article 6 (1):

  1. Consent. Valid when the data subject has explicitly and freely given consent after being properly informed, including a clearly stated and specific purpose. The burden of proof for all of this lies on the controller.
  2. Necessary for the performance of a contract , or to fulfil requests from the data subject, in preparation for a contract.
  3. Compliance with a legal obligation that is imposed on the controller.
  4. Protecting a vital interest. When the processing is necessary to save a life.
  5. Public interest or official authority.
  6. Legitimate interest. Applicable when the controller has a legitimate interest that is not overridden by the interests and fundamental rights of the data subject.

One major change brought by GDPR over previous data privacy regulation is the stricter requirements for obtaining valid consent.

Data Subject Rights.  Existing data privacy rights for individuals are further expanded by the GDPR. Organizations must be prepared to handle requests from data subjects in a timely manner (within 1 month), free of charge:

  1. Right to Access - Individuals have the right to know what and how their personal data is being processed, in full transparency.
  2. Right to Rectification - Individuals have the right to obtain correction or completion of their personal data.
  3. Right to Erasure - Individuals have the right to obtain deletion of their personal data for legitimate reasons (consent withdrawn, no longer necessary for the purpose, etc.).
  4. Right to Restriction - Individuals can request that the controller stops processing their personal data, if they do not want or cannot request full deletion.
  5. Right to Object - Individuals have the right to object to certain processing of their personal data at any time, for example for direct marketing purposes.
  6. Data Portability - Individuals have the right to request that personal data held by a controller be provided to them, or to another controller.


B. How you should prepare for GDPR

Disclaimer

We cannot provide legal advice, this section is only provided for informational purposes. Please reach out to your legal counsel in order to determine exactly how GDPR affects your company.

Here are the key steps we suggest for a GDPR compliance roadmap:

  1. Establish a Data Mapping of the data processing activities of your organization to get a clear picture of the situation. Data Protection Authorities often provide spreadsheet templates to help in this task. For each process, document the type of personal data and how it was collected ; the purpose, legal basis and erasure policy of the treatment ; the technical and organizational security measures implemented, and the subcontractors (processors) involved.

You will need to maintain this data mapping regularly, as your processes evolve.

  1. Based on step 1, choose a Remediation Strategy for any processing where you do not have a legal basis (e.g. missing consent) or where you do not have appropriate security measures in place. Adapt your processes, your internal procedures, your access control rules, backups, monitoring, etc.
  2. Update and publish a clear Privacy Policy on your website. Explain what personal data you process, how you do it, and what are the rights of individuals with regard to their data.
  3. Review your Contracts with a legal counsel, and adapt them to GDPR.
  4. Decide how you will answer the various kinds of Data Subject Requests.
  5. Prepare your Incident Response Procedure in case of data breach.

Depending on your situation, other elements could be added to the list, such as the appointment of a Data Protection Officer. Consult your internal processing experts and your legal counsels to determine any other relevant measure.

Remember!

Establishing a clear mapping of your processes will make everything easier on the road to compliance!


C. How is CM Security compliant with GDPR

At CM Security, implementing privacy and security best practices is not a new idea. As a Cloud hosting company, we're constantly revising and improving our systems, tools and processes, in order to maintain a great and secure platform.

Our GDPR Roles

Our responsibilities in terms of personal data protection depend on our various data processing activities:

Our Roles

Data Processing

Kind of data

Data Controller & Processor

On CM Security's premise

Personal data provided to us by our direct customers and prospects, our partners and all direct users of CM Security.com (names, emails, addresses, passwords)

Data Processor

On CM Security's Cloud

Any personal data stored in the databases of our customers, hosted in the CM Security Cloud or transferred to us for the purpose of using one of our services. The owner of the database is the data controller.

No role

On Customers' Premises

Any data located in databases hosted on-premise or in any hosting not operated by us.

Our GDPR documents

As a Data Controller, our activities are covered in our Privacy Policy , which has been updated for GDPR. This policy explains as clearly as possible what data we process, why we process it, and how we do it. Closely related to this, our Security Policy explains the security best practices we implemented at CM Security, at all levels (technical and organizational) in order to guarantee that your data is processed in a safe and secure manner.

In addition to those policies, our activities as a Data Processor are subject to the acceptation of our Service/Subscription Level Agreement. This agreement has been updated in order to add the necessary Data Protection clauses, as required by the GDPR.

As a Customer of CM Security you don't have anything to do to accept these changes, you already benefit from the new guarantees, and we will consider that you agree if we don't hear anything from you! In addition to these documents, we have also updated our website to insert privacy notices in all relevant places, in order to keep our users informed at all times.

Contact Us

Please contact us to be directed to the relevant DPA contacts. As further explained in the Privacy Shield Principles, a binding arbitration option will also be made available to you in order to address residual complaints not resolved by any other means. CM Security is subject to the investigatory and enforcement powers of the Greek authorities and of the European Union Trade Commission.

CM Security GmbH

Otto-Hahn-Str. 3, D-72406 Bisingen

Landline: +49 (0) 7476 / 9495-0

e-mail: info@cm-security.com