Stricter EU regulations in the cloud
VCC aims to provide the highest possible level of data security for both our domestic and international clients. In particular, we focus on the continual updating of our cloud-based services’ data protection security, based on the latest legal requirements. As a result, we are currently analysing and preparing to implement the EU’s new General Data Protection Regulation (GDPR) before it comes into effect.
Several articles about the GDPR have already been published, both here in Hungary as well as in other EU member states. The regulation, which will officially be introduced in 2018, is stricter than current legislation, and all EU member countries will be subject to its interpretations of data movement. It will also provide greater guarantees to all parties that data movement can be traced back.
Why is this regulation so important to VCC? As a cloud-based service provider we are considered in legal terms as data processors, and so are responsible for every piece of information we handle through which individuals can be identified, even if we only transfer it to a third party rather than store it ourselves. Due partly to the international legal environment and partly to our own IT environment and already acquired certificates, data generated by our partners’ activities is already subject to strict regulations. Security is of particular importance in regards to bank card details moving through our system since the launch of VCC Pay. As such, VCC already has an approach in place similar to the EU requirements in the GDPR, and we now only have to deal with the specific regulatory and technical details in the new regulation.
The GDPR will allow EU citizens’ data sent to non-EU countries to be more closely monitored. Data owners will have to give clear consent to the data handling procedure. They will also be able to more easily demand that data processors modify or delete their data – the monitoring of which will of course be challenging, due to the required synchronisation of data between different process handling systems . For anyone authorising another party to process their personal data, data portability between providers will also become more transparent. Another important change in the EU regulation is that data owners will more easily be called to account, with fines of up to 20 million EUR, or 4% of a company’s annual turnover. However, at the same time, the life of companies such as VCC, who have a presence in several EU countries, will be easier, as they will only have to cooperate with the Data Protection Authority in the country in which their headquarters are based.
Although the new regulations will put an extra burden on service providers, it carries the promise of greater transparency and of a central supervising watchdog to settle disputes between parties.