General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a new European data protection regulation adopted by the EU Commission. It replaces the EU Data Protection Directive, also known as Directive 95/46/EC. The GDPR becomes effective on May 25, 2018 and will strengthen security of and regulate personal data in the broadest sense. The GDPR applies to both individuals and businesses and regulates the way in which personal data of citizens in the European Union should be handled.
We would like to provide you with answers to some of the questions that we hear time and time again from our customers. We also want to provide an update on what Rackspace has done to ensure that we will be ready for GDPR and what services we offer to our customers to help them meet their compliance obligations.
FAQs about the upcoming General Data Protection Regulation (GDPR)
When it comes to customer data, is Rackspace a controller or a processer?
Under the GDPR, a “controller” determines why and how personal data is processed. A “processor” processes personal data on behalf of the controller. Rackspace has limited knowledge of the data that each customer processes via the hosting infrastructure (“Customer Data”). Also, Rackspace only processes Customer Data in accordance with the customer’s instructions. Therefore, Rackspace is a processor of Customer Data hosted at Rackspace; the customer is a controller.
Will GDPR change the way Rackspace treats customer data?
Rackspace continues to treat customer data with the required level of sensitivity and confidentiality. Learn more about our security practices.
Rackspace will continue to invest in the security of its customer solutions to ensure it remains compliant with applicable legislation.
With the new GDPR, can an EU customer continue to host personal data outside of the EU/EEA?
Provided certain legal mechanisms are in place, EU customers can host personal data outside of the EU. Personal data may be transferred outside of the EU and the EEA when an adequate level of protection for that data is guaranteed.
To help achieve this level of protection, Rackspace is Privacy Shield certified.
Won’t I be in breach of the data protection laws if Rackspace transfers my personal data outside the EU/EEA?
The current laws allow Rackspace to process personal data and therefore support your services from outside the EEA if you have given us your consent, or if data is transferred to a non-EU jurisdiction deemed by the European Commission to offer an adequate level of protection for personal data, or if the transfer is subject to model contracts.
Can you keep my data in the EU only?
Rackspace is able to offer Fanatical Support by operating a 24/7 "follow the sun" support model that leverages our support engineers in countries where we operate. This means that although we will not move your personal data into another jurisdiction without your consent, sometimes we will need to provide you with support from outside the EU. We comply at all times with applicable laws.
Transfers of personal data originating from other locations globally to Rackspace affiliates are subject to the terms of the Intra-Company Data Processing Agreement which requires all transfers of personal data to be made in compliance with applicable Rackspace security and data privacy policies and standards.
Will the Data Protection laws/GDPR apply when Britain leaves the EU?
The U.K. legislation on data protection (Data Protection Act 1998) is derived from the EU Directive on data protection. The new General Data Protection Act, which is effective from May 2018, will replace the U.K. legislation and the U.K. Information Commissioner has confirmed that the U.K. will comply with the GDPR to enable it do business in Europe.
Do you have other data centers within the EU where I can store my data?
Yes, Rackspace has other data centers in other countries, including Germany, to provide our customers additional options for an EU footprint.
What services does Rackspace offer to help me comply with GDPR?
First, review the GDPR to determine whether it applies to your organization. If GDPR applies, make sure that you implement appropriate technical and organizational measures to ensure and demonstrate that any data processing is performed in compliance with GDPR.
Please feel free to reach out to a representative at Rackspace so that we can help tailor a solution to fit your business needs. While we cannot ensure that your company is GDPR-compliant, we do offer many products and services that can help you meet some of the GDPR requirements. You should always work with a legally qualified professional to discuss GDPR, how it applies specifically to your organization and how best to ensure compliance.
How do I update my current agreement with Rackspace in light of GDPR?
We have a new Data Processing Addendum that will meet the requirements of the GDPR. Customers who need to incorporate GDPR provisions into their agreement can do so by following the instructions here.
Information about security products that we offer: https://www.rackspace.com/security
Fanatical Support for AWS customers can access Amazon’s EU Data Protection information here: https://aws.amazon.com/compliance/eu-data-protection/
GCP customers can find answers about the Google Cloud here: https://www.google.com/cloud/security/gdpr/
Fanatical Support for Azure customers can find additional information here: https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx