In 2016, the European Union (EU) approved a new privacy regulation called the General Data Protection Regulation. More commonly known as the “GDPR”, it came into force on May 25, 2018.
As a company that has always taken privacy very seriously, the success of our customers in the GDPR era is very important to us. This is why we have put this document together to provide an overview of what CloudAlly has done to get our back-up solution prepared for the GDPR.
What is CloudAlly’s take on the GDPR?
We welcome the positive changes the GDPR brings, such as the increased harmonization and the “privacy by design and privacy by default” approach. Our view is that the GDPR is an opportunity to build privacy-friendly products while increasing customer trust.
What is CloudAlly doing in order to comply?
With customers in nearly every country in the world, preparing our product for the GDPR is a “must”.
- GDPR Strategy.
We retained outside counsel to help us understand the GDPR and prepare a GDPR compliance plan for our back-up solution. We built an internal taskforce with members of different departments (security, sales, product development, and others) to implement the product changes. The CEO of CloudAlly has been personally involved in the supervision of its implementation.
- Data Mapping.
We mapped CloudAlly’s data collection practices and determined that when using our product, CloudAlly is a data processor. As a provider of a backup solution, CloudAlly does not determine the “means” or the “purposes” of the processing of our customers’ personal data. Instead, CloudAlly processes the personal data on behalf of our customers.
We obtained an ISO27001 certification in 2014, which we renew periodically. Among other items, it includes the implementation of robust encryption techniques, periodical penetration tests and a data breach policy. Our customers can read more on our security dedicated site: https://www.cloudally.com/resources/secure-online-backup
1. Authentication. We support authentication tools provided by Google, Facebook and Microsoft Azure. All these entities have announced that they are getting prepared for the GDPR. Moreover, we also provide our own authentication solution, with a two-factor authentication approach.
New features. We have made a number of modifications to our product and our systems so that it is easier for our customers to locate personal data and comply with right to be forgotten requests. In addition, we are happy to provide a certain level of manual assistance, should our customers need it. In such cases, our customers can approach us by sending an email to email@example.com and we will analyze the request and decide the extent of the available assistance in each instance.
- Data transfers.
Server flexibility. We let our customers choose the location of the data centers where their back-up information will be stored. For example, our customers may choose to have their information hosted in the Amazon Web Services EU data center located in the Republic of Ireland.
Amazon Web Services. AWS has already announced that will comply with the GDPR and they are also registered with the EU-US PrivacyShield (see: https://www.privacyshield.gov/list).
CloudAlly’s Staff. Our staff sits in Israel, which was declared by the European Commission as a country that offers adequate level of data protection.
Payment Processors. We work with PCI compliant payment processors and billing partners that have announced they will comply with GDPR.
Other vendors and partners. We work with vendors and partners who, like Amazon Web Services, have announced they will comply with the GDPR.
- Data Retention. We are developing new tools and functionalities which will allow our customers to set limited retention periods.
- Ongoing Compliance. We are not approaching GDPR compliance as a onetime exercise and we are committed to periodically review our roadmap and ensure ongoing awareness of the GDPR requirements.Finally, CloudAlly understands that our customers want proof that our product is prepared for the GDPR, not just promises. That is why (a) we are ISO 27001 certified as mentioned above and (b) follow the creation of mechanisms to demonstrate compliance with the GDPR (such as GDPR certifications and seals) and, based on the experience of others, will consider the value to our customers of adherence thereto.
2. Should I, as a CloudAlly customer, be concerned about the GDPR?
Our recommendation is that all our customers assess carefully whether they are subject to the GDPR and, if so, to what extent. The consequences of breaching the GDPR are very serious and could include fines of up to 20 million Euro or 4% of the breaching company’s global turnover (yes, the global turnover!).
If I am a customer not based in the EU, should I still be concerned about the GDPR?
Given the GDPR’s extraterritorial effect, our non-EU based customers are also encouraged to assess whether the GDPR applies to them or not. The GDPR will not only apply to companies that process the personal data of protected individuals and have a presence in the EU (e.g. offices or establishments) but also to companies that do not have any presence in the EU but offer goods or services to protected individuals in the EU and/or monitor their behavior where such behavior takes place within the EU.
As a CloudAlly customer, where should you start your “GDPR journey”?
If the GDPR applies to your company, we highly recommend conducting internal due diligence to map your specific data collection practices. This includes, among other matters, understanding what specific personal data (including sensitive personal data) of individuals protected by the GDPR your company is collecting (e.g. endusers, customers, employees, etc.), from whom is the data collected, where is it being hosted, for what purposes is it being used, with whom is it being disclosed, and whether the personal data is transferred outside of the European Union or European Economic Area.
And then what?
Consider what personal data you are sharing with CloudAlly when using our services and, if required, please sign our Data Processing Agreement.
Where can I learn more about GDPR?
Additional information is available on the European Commission’s website here (http://ec.europa.eu/justice/dataprotection/reform/index_en.htm).
I have more questions. Who should I contact?
If you have any additional questions about the GDPR you are welcome to contact us at firstname.lastname@example.org.