As many of you know, the General Data Protection Regulation (GDPR) will become enforceable on May 25, 2018. In preparation for this new regulation, iOFFICE has undergone an independent gap assessment to identify and implement the controls necessary to comply with the GDPR. This update is to inform you of our role in compliance, as well as to provide you with the tools necessary to be in compliance regarding data stored in the iOFFICE application. Refer to the following sections for additional information and expectations.
What is the GDPR?
The European Union’s General Data Protection Regulation (GDPR) is replacing the Data Protection Directive with the purpose of ensuring appropriate protection of the personal data of EU residents (data subjects) in a global, digital society and harmonizing data protection laws across the EU. The GDPR applies to the processing of personal data, which is any information relating to an identified or identifiable natural person and includes data such as an IP address, an email address, a telephone number, and so on. Processing activities include the collection, use, and disclosure of the data. In general terms, the GDPR requires the following when processing personal data.
- Data must be processed lawfully, fairly, and in a transparent manner.
- Data use must be collected for specified, explicit, and legitimate purposes and used solely for the specified purposes.
- Data collection must be limited to only what is adequate, relevant, and necessary for achieving specified purposes.
- Data collected must be accurate and kept up to date.
- Data must not be stored for longer than necessary to achieve the purposes for which it was collected.
- Steps should be taken to maintain data integrity and confidentiality—it must be properly secured against accidental loss, destruction, or damage.
The GDPR also details the conditions of lawful processing, clarifies the notion of consent, and details the specific rights of EU data subjects concerning their personal data, including the right to information, the right to be forgotten, the right to restrict the processing of data, and the right to data portability. For more detailed information on these topics, refer to the full-text version of the GDPR.
The scope of the GDPR is very broad, affecting all organizations established in the EU as well as any organization involved in processing personal data of EU residents. This means the GDPR applies to any organization controlling or processing personal data of EU residents, regardless of where the organization is established and where these activities take place. The GDPR also applies across all industries and sectors. We highly recommend that you consult with your legal and other professional counsel regarding the full scope of your compliance obligations under the GDPR as a data controller.
Controller or Processor?
While there are many new terms related to the GDPR, we want to provide some additional clarity around the different responsibilities assigned to Data Controllers and Data Processors to aid the understanding of how the GDPR affects your relationship with iOFFICE and the iOFFICE application.
- iOFFICE customers are Data Controllers.
iOFFICE customers retain ownership of all data stored in the iOFFICE application, and as such are classified as Data Controllers as defined in Article 4 of the GDPR. Data Controllers have a number of legal obligations that are separate from processors, and we encourage you to work with your legal and regulatory counsel to evaluate the impact of the GDPR on your organization and implement the necessary controls.
According to the accountability principle (Article 5(2)), Data Controllers (iOFFICE Customers) are ultimately responsible for complying with the GDPR and must be able to demonstrate such compliance.
- iOFFICE is the Data Processor.
iOFFICE processes data owned by our customers on behalf and at the direction of each customer. As such, iOFFICE is a Data Processor and responsible for processing data according to Article 28 of the GDPR. Among other things, Data Processors must provide the expected guarantees just as Data Controllers do and must implement the appropriate technical and organizational measures to ensure that the processing will meet the requirements of the GDPR.
As a processor, iOFFICE is also responsible for ensuring that our data centers meet these same requirements, which is why we host data at ISO 27001 certified data centers and verify compliance through external audits performed on these facilities.
Additional details about the responsibilities of iOFFICE and our customers are contained in the GDPR Data Processing Addendum.
Is iOFFICE ever considered a Data Controller?
How did iOFFICE Prepare?
iOFFICE has engaged external counsel, the Cybersecurity and Privacy Team at Holland & Knight LLP, to perform a GDPR gap assessment and to provide assistance to iOFFICE in its undertaking to become GDPR compliant. Holland & Knight assessed our current status along the following 12 organizational dimensions and recommended various controls as part of iOFFICE's compliance program.
- Policy Management
- Presentment of External-Facing Policies
- Data Classification
- Cross-Border Data Strategy
- Data Lifecycle Management
- Data Subject Rights Processing
- Privacy Impact Assessments
- Information Security
- Privacy Incident Management
- Data Processor Accountability
iOFFICE is implementing the recommended controls and is committed to complying with GDPR and working with our customers to ensure we support them in this critical area. We will be providing updates, from time to time, about our ongoing efforts and commitment to GDPR compliance on a case-by-case basis.
What is Required?
iOFFICE is adding a GDPR Data Processing Addendum to its existing customer agreements that will become effective on May 25th and that sets forth, among other things, iOFFICE's responsibilities as a Data Processor under Article 28 of GDPR. The addendum also contains Model Contract Clauses supporting the transfer of data from customers in the EU to iOFFICE's operations in the U.S.