Does your company use free online services like DropBox or Google Docs to store personal data?
I’m not a lawyer, but you’re probably breaking the law now.
The thing with free plans is that they don’t tend to be protected by a GDPR-compliant data processing contract *, and yet there’s nothing to stop businesses using their products for purposes that require one.
* a highly specific contract is required under Article 28.3 if you use another service to process people’s personal data – See earlier post.
Imagine how many small companies are using free services to store customer contact details in spreadsheets and have no idea their agreement with the provider does not protect this data. It’s all very well saying it’s the company’s fault, but what about the obligations of the (much larger and wealthier) service provider?
While I was preparing for GDPR I made some assumptions which I didn’t realise were wrong until almost too late, and frankly I’m still confused about Article 28 paragraph 3. (Yep, I quote regulations now).
If you run any kind of website that stores people’s details, you might want to check this out too.
Some background –
- In plain English: My website stores your email address on my hosting provider’s servers.
- In GDPR speak: I am a Data Controller and the host is a Data Processor.
Under Article 28(3) I must have a specific contract with my hosting provider that extends my GDPR obligations to them. This goes for any service provider that you use to store or process personal data that isn’t your own. In my case it includes Linode, Stripe, AWS and MailChimp. (I also use Google Docs and DropBox, but I’ll come to those later).
No problem, of course I have contracts with these companies. They will just update their terms of service and all will be nice and legal. Unfortunately it’s not that simple, and the next person who tells me “you don’t need lawyers” is going to get an earful. Continue reading…