Brightbox and the GDPR

I’m sure you will already be aware of the GDPR - the comprehensive reform of European Union (EU) privacy law which comes into force on 25 May 2018.

At Brightbox we have been working on updating our policies and procedures in readiness for GDPR and I thought it would be useful to give a quick overview, explain what we’re planning and hopefully answer any questions that you may have.

What is the GDPR?

The General Data Protection Regulation is the new EU data privacy law which harmonises data protection regulation across the 27 member states, with the intention of increasing transparency and strengthening the data privacy rights of EU residents.

The GDPR becomes enforceable from 25 May 2018 and applies to any organisation that controls and processes the personal data of EU residents.

“Personal data” is broadly defined within the GDPR, but in general it can be thought of as any data that can be used to personally identify an individual.

Who does the GDPR apply to?

The GDPR applies to any person or organisation that provides goods or services to EU residents or is otherwise involved with the processing of their personal data, regardless of whether the organisation itself is based within the EU.

The GDPR (and the data protection act before it) clearly defines two main types of organisation involved in data processing:

• a controller is a natural or legal person or organisation which determines the purposes and means of processing personal data.
• a processor is a natural or legal person or organisation which processes personal data on behalf of a controller.

How does GDPR apply to Brightbox and our customers?

According to the definitions above, Brightbox is both a “data controller” and a “data processor”.

Brightbox as a data controller

Brightbox is a data controller in the context of handling our own customers’ personal data (account information, billing details etc) and is required to ensure that our handling of this data complies with the requirements of the GDPR.

To assist with this requirement, we are updating our Terms & Conditions and our Privacy Policy.

Brightbox as a data processor

Brightbox is a data processor in the context of providing cloud infrastructure services to our customers (themselves data controllers) who may use our services to process personal data that they control. Article 28 of the GDPR places responsibility on data controllers to only use processors (e.g. cloud providers) that can provide “sufficient guarantees” that they will meet the requirements of the GDPR, and this must be backed up with a legally binding agreement.

To assist with this requirement, we will be providing a new Data Processing Agreement which will provide customers with the relevant assurances and information.

How will Brexit affect GDPR?

In March 2019, the UK will formally leave the European Union (known as “brexit”). We don’t anticipate any major impact on our compliance with GDPR, for the following reasons:

• The GDPR applies to organisations whether or not they are located within the EU. Once the UK has left the EU, Brightbox will still be bound by GDPR regulation because it provides services to EU residents
• The UK government is proposing a new data protection bill that will enshrine/mirror the fundamentals of GDPR in UK law
• It is expected that the UK will be added to the list of non-EU countries deemed to provide an adequate level of data protection without further safeguards being required. We may also consider incorporating the EU “model clauses” for processing data outside of the EU in readiness for Brexit.

What’s next? **Update**

Please see new or updated versions of the following:

• Terms & Conditions
• Privacy Policy
• Data Processing Agreement (DPA)

If you have any questions about GDPR or our legal documents, please do get in touch and we’ll be happy to help.