David Fagan, solicitor and senior business consultant with Business Legal, writes on the upcoming EU General Data Protection Regulation.

Personal data related to EU residents will soon be protected by GDPR. Data controllers will be responsible for that data, wherever it resides. Organisations holding data on EU citizens must comply with GDPR, and any other organisation with which they share data must also comply with GDPR.

The relationship with a data partner cannot just be based on trust. The relationship must be documented with a written data processing agreement; otherwise, neither company will be complying with the rules. One sure sign of a non-compliant partner is the failure to enter into a data processing agreement.

To protect any data, a business first needs to know what data it deals with. Step One of GDPR compliance is an audit of personal data held.

Names and addresses are just the tip of the iceberg: Identifiers can be almost anything, including IP addresses, cookies, biometric data, DNA, and even pseudonymised data where only a limited number of people know the identity of the data subject(s).

Any organisation that controls or processes personal data must be compliant with the GDPR. (GDPR also covers members of the European Economic Area — Iceland, Norway and Liechtenstein. Switzerland is also covered by GDPR)

For data processors outside the EU or EEA, it gets a little more complex and requires the use Of a transfer mechanism approved by the EU. The most common of which are Model Form Contracts and Privacy Shield Registration. The rules are designed so that organisations handling EU data are brought within the jurisdiction of the GDPR.

Another thing to watch out for is consumer cloud services that aren’t designed for business use. Users often assume that the provider is GDPR compliant, but many organisations providing freeware to consumers have no incentive to be GDPR compliant. IT professionals will either have to block use of such services entirely or have some sort of mechanism to ensure compliance. With just weeks before the May 25 deadline, some cloud service providers have waited until the last possible moment to announce mechanisms to allow compliance. If a cloud service provider hasn’t said anything about GDPR compliance yet, then it raises some serious questions about whether they will be compliant in time.

Compliant cloud service providers will have data processing agreements and transfer mechanisms available, so it should be a simple task to discover if a provider is offering GDPR compliant services. If no data processing agreement is available, then it likely means they are not GDPR compliant.

One key reason to have data controllers that understand their GDPR responsibilities is that it is their responsibility to report any breach of data within 72 hours of it being discovered. Failure to do that could incur catastrophic fines for them.

Summary of steps

Step 1. GDPR compliance starts by knowing what personal data is held by an Organisation. That audit is the first step, as you need to know what you need to protect and where that data resides.

Step 2. If that data leaves the network, whether via remote storage or third-party processing, you must ensure contractually that the data is secure.

Step 3. Any third party handling the data must be able to provide a legally binding controller processor agreement. Does that third-party offer a GDPR compliant controller processing agreement that complies with the GDPR requirements?

Step 4. If yes, sign the agreement.

Step 5. If no, will they have GDPR compliant data processing agreements available before May 25th?

Step 6. If still no, look for another organisation that offers similar services and can offer a GDPR compliant data processing agreement.