The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe to protect and empower all EU citizens data privacy, and to reshape the way organizations across the region approach data privacy. Unlike its predecessor, the GDPR will be directly effective in European Member States without the need for implementing legislation. For more information, follow this very informative GDPR course by internet security specialist Troy Hunt.
The GDPR is not only relevant for Europe but also applies outside of the EU whenever: (1) an EU data subject’s personal data is processed in connection with goods/services offered to him/her; or (2) the behavior of individuals within the EU is “monitored”.
Therefore, if your organization or business offers paid or free goods or services to anyone in the European Union member states then you need to adhere to GDPR. Here are four of the many possible indicators that your business is targeting individuals in the EU:
As part of our measures we have implemented the following:
The most penalizing parts of the GDPR are the ones the concern data breaches, so possibly, the most important thing of all is what we have been doing all along: creating a secure service. There are many checkboxes that need to be checked. But if you want to keep in mind just a single one, this would be it: Don’t get hacked.
Platform.sh has many security layers that make attacks much harder than on comparable services. Starting from our read-only hosts and containers, through to our auditable and reproducible build-chain, the static-analysis based protective block, our dynamic WAF, our HTTPS by default, and our “no-insecure-protocols” iron-clad policy. Running your workloads on Platform.sh means your systems are much less likely to get hacked, and therefore you are much less likely to be liable under these very stringent new policies.
With billions and billions of personal data compromised out of online systems worldwide since 2004, individuals stand to be better protected against fraud, identity theft, and blackmail with GDPR.
At Platform.sh, we will ensure we are specific and unambiguous in the way we ask you to share your personal data. You also have the right to access or erase any of your own personal data we have recorded in our systems. Any personal data you supply to Platform.sh is held in accordance with the GDPR and, when applicable, you can assure your clients doing business in the EU that your backend provider complies with the GDPR.
You can rely on many of the things we do to satisfy your GDPR requirements. We provide infrastructure, however, and many of your compliance questions will occur at the application level. We give you a lot of control: you can run anything on Platform.sh, including insecure code. You can turn off HTTPS. You can put your administrator password on a post-it. These items are beyond our control.
In order for your workload to be compliant with GDPR, these are key steps you should consider for your application:
It is also important to prepare for the necessary steps within your company with regard to data breaches. For this we recommend that existing users map out the flow of any personally identifiable information their application sends outside of Platform.sh’s systems. Whilst Platform.sh helps companies be ready for GDPR, you must verify that your company is fully GDPR compliant.
To help you on this journey we are publishing blog posts on the GDPR that go into much further detail.