We know the importance of keeping your critical business information safe and secure. After all, the risks of data exposure are significant:
- It’s your business-critical information. Your cloud contains extremely valuable and confidential content, including intellectual property, customer data, financial information and sensitive personal data. You need to have confidence in how it’s stored and managed.
- It’s the law. Data privacy laws like Gramm-Leach-Bliley Act, Fair Credit Reporting Act, SEC disclosure rules, HIPAA and the EU’s General Data Protection Regulation (GDPR) govern how data must be protected. Compliance with those legal requirements is mandatory if they apply to you or your customers.
- It’s your reputation. Data breaches can diminish customer confidence in your company.
- It’s your liability. Data loss can expose your company to significant financial and legal liabilities.
At Intermedia, we’re committed to protecting the privacy of your data and making sure you are in complete control of where and how it’s used. Examples of our commitment include:
- Identifiable customer data is not “mined” for any purpose. Intermedia does not mine identifiable customer data for any purpose—certainly not to serve you ads.
- You decide where your services are hosted. For many of Intermedia’s services, you get to choose where we host your service. Intermedia maintains data centers in various countries around the world. If you want your services hosted in the US, we’ll use our US data centers. If you want your services hosted in Europe, we’ll use our European data centers. And at any time, you can keep tabs on the data centers being used to host your services.
- We adhere to strict data protection frameworks. We are a self-certified participant in the EU-US Privacy Shield framework sponsored by the US Department of Commerce, which was created to bridge the gap between US and EU data protection and privacy standards. Our Privacy Shield Notice can be accessed here. In addition, we are committed to compliance with the EU’s General Data Protection Regulation (GDPR), effective May 25, 2018, and we offer data processing agreements to our partners and customers to help them comply with their obligations under the GDPR. We treat all data equally, so all of our EU and US customers benefit from this strict level of protection.
- We help you meet your compliance needs. Legal and regulatory compliance is extremely complex, with different requirements potentially applying to a company’s activities based on factors such as the content, location and use of the data. Intermedia helps you comply with these requirements not only by providing highly secure services designed to meet applicable legal and regulatory requirements, but also by providing partners and customers with compliant documentation, such as GDPR-compliant Data Processing Addendums and HIPAA-compliant Business Associate Agreements (BAAs), that demonstrates our commitment, as your vendor, to comply with these crucial obligations.
General Data Protection Regulation (GDPR)
Effective May 25, 2018, the General Data Protection Regulation (GDPR) is a European privacy law that imposes significant new requirements on any company or entity that handles, stores, collects, processes, uses or analyzes any personal data of residents of the European Union (EU). It gives EU residents greater control over the data that companies have about them, and it creates heightened security, disclosure, access and notification obligations on any business that interacts with EU residents.
Intermedia has extensive expertise managing a highly secure infrastructure and complying with complex regulations. We currently self-certify compliance with the EU-US Privacy Shield framework (access our Privacy Shield Notice here) and are committed to comply with the GDPR across our services. Intermedia maintains a security environment that meets the requirements of the GDPR, and we offer GDPR-compliant Data Processing Addendums to our partners and customers to help assure them that our processing and handling of their data will meet the GDPR’s standards. Ultimately, every business needs to carefully assess their own business activities and their compliance with the GDPR, but we can help by managing GDPR compliance on the services we provide.
What are the key elements of the GDPR?
The GDPR is complex, but the following is a high-level summary of its key elements:
- Individuals Have Greater Control over Their Data: Under the GDPR, EU residents have “data subject rights,” which include the right to (a) receive information about how their personal data is used; (b) access that data; (c) make corrections to, or delete, incorrect information about them; (d) “be forgotten” (which means they have the right to insist that their personal data be deleted under certain circumstances); (e) limit or object to automated processing of their personal data; and (f) receive a copy of their personal data.
- Companies Must Maintain a Comprehensive Security Program: Entities that handle, store, collect, process, use or analyze any personal data of EU residents must implement and maintain a comprehensive security program with appropriate technical and organizational measures to ensure a level of security appropriate to the risk, which includes, at a minimum, specific security measures identified in the GDPR (such as pseudonymization and encryption of Personal Data and a process for regularly testing, assessing and evaluating the effectiveness of those technical and organizational security measures).
- Companies Have Stricter Disclosure and Notification Obligations: The GDPR imposes duties on companies to provide prompt notification of security breaches to data protection authorities and affected individuals. The GDPR also obligates entities to disclose to individuals if their data is being processed by third parties and to inform individuals how their data will be used – and obtain consent for such use.
What data is subject to the GDPR?
The GDPR applies to any “personal data” of an EU resident. “Personal data” consists of any information that can be used to identify a person. In some cases, it’s easy to identify “personal data” – for example, an email address, taxpayer or employee ID number, or a person’s name accompanied by a work or home address. However, “personal data” may also include less obvious types of information, such as a person’s biometric data, location information and/or IP address. It is very broadly defined.
What types of agreements does Intermedia offer regarding GDPR compliance?
The GDPR states that data controllers (such as Intermedia’s customers) may only use data processors that provide sufficient guarantees to meet key requirements of the GDPR. Intermedia meets that requirement, and we are pleased to offer a Data Processing Addendum to any Intermedia partner or customer. That addendum contains contractual commitments to comply with the GDPR, as well as the other commitments described below. Please contact your Intermedia account representative for assistance putting a Data Processing Addendum in place.
What commitments are contained in Intermedia’s Data Processing Addendum?
Intermedia’s Data Processing Addendum includes a number of commitments on the part of Intermedia, in its capacity as a processor of EU residents’ data, to comply with the GDPR. The GDPR requires that processors such as Intermedia commit to:
- Obtain the controller’s consent before using subprocessors and remain liable for the activities of any subprocessors;
- Only process EU residents’ personal data on instructions from the controller;
- Ensure that personnel, such as employees and contractors, who process personal data are trained and committed to confidentiality;
- Implement appropriate technical and organizational measures to ensure a level of personal data security appropriate to the risk;
- Assist controllers in complying with their obligations to respond to data subjects’ requests to exercise their GDPR rights;
- Upon becoming aware of a security breach, provide timely notice of the breach and help the controller comply with its disclosure obligations;
- Assist controllers with data protection impact assessments and consultation with supervisory authorities;
- Make reasonable information available to customers to help them assess the processor’s security program;
- Delete or return personal data once the services are terminated (except as needed by the processor to continue to provide services or manage its business); and
- Support the controller with evidence of the processors’ compliance with the GDPR.
Once I sign a Data Processing Addendum with Intermedia, am I done with GDPR compliance?
No! The GDPR is a far-reaching privacy law that touches any business that handles any personal data of EU residents. Intermedia can definitely help you comply with the GDPR, by fulfilling our obligations as a processor of any data that you, your customers and your users submit to Intermedia in connection with the services we provide. But there are a number of other actions you should be considering, such as:
- Consider the types of data you handle, store, collect, process, use or analyze in the conduct of your business.
- Do you have any employees in the EU?
- Do you have any customers with offices in the EU?
- Do you (or, if you resell Intermedia services, do your customers) handle personal data of individuals, potentially residing in the EU, in the normal course of business (such as medical insurance billing, HR or payroll services, etc.)?
- Do you provide services to your customers where you do not know the content of what you are processing (such as email or archiving services)?
Any data that you have in connection with these or similar activities may be subject to the GDPR’s requirements.
- Review your own security infrastructure and ensure that it is sufficient to protect any personal data that you store that may be subject to the GDPR.
- Make sure you understand and can comply with the GDPR’s notification, disclosure, consent and other requirements in your handling of any possible personal data of EU residents.
- Obtain Data Processing Addendums from any vendor or service provider to which you or your customers may be sending personal data of EU residents for processing.
- Prepare and offer GDPR-compliant Data Processing Addendums to your own customers who may require such agreements for the services you provide to them.
GDPR compliance obviously requires a very detailed and business-specific analysis. Intermedia provides GDPR-related assurances regarding the services we provide. Most companies that, directly or indirectly, have contacts or dealings with the EU are working with outside legal and compliance advisors to help them understand how the law applies to their own business and what they need to do to comply. If you have any questions, Intermedia is happy to point you to additional resources that may help you look into these issues.