What is considered as data?
Data is any information collected to be examined, analysed, and used to help decision-making, or from which conclusions can be drawn. Data also refers to information in an electronic form that is suitable to be stored and used by a computer.
“Personal data,” meanwhile, refers to information that relates to an identifiable person. How can a person be identified? Through a wide range of data: name, identification number, location data or online identifier (e.g., a user name).
Under the GDPR, as soon as you process or control data, you need to store it. Moreover, the GDPR requires you to know the type of personal data you’ve collected and why you’re storing it, to document this policy, and destroy any personal data you no longer have a legal or contractual obligation to hold.
But does it really matter where you store all this data? To answer this, first and foremost, you must consider the security of whatever storage method you chose, keeping in mind that the GDPR imposes higher fines and sanctions for lost personal data that cannot be recovered or protected.
Data storage options
Data can either be stored on the premises or in the Cloud (public or private). Many companies opt for a hybrid approach.
If data is stored on the premises:
Most businesses will use some form of “on-premises” data storage – a manual filing system or files saved locally on a device.
- Easy and fast access to files;
- Full control over the security and management of data.
- Physical files are often difficult to keep track of, are rarely backed-up, and the GDPR requirement to destroy any personal data you no longer have a legal or contractual obligation to hold may prove especially onerous if you hold large amounts of data in physical formats;
- Both physical and electronic files take up space;
- Without back-up or redundancy, there’s serious risk of loss (think spilled coffee on an important document or a stolen laptop!).
If you store any amounts of data on-premises, we recommend you conduct a risk analysis to understand where your vulnerabilities may lie with regard to GDPR compliance.
Data is Cloud-based: What does that means?
Storing data in the Cloud means that the physical electronic data is stored externally, and is accessed with your device via the internet.
It can be private (e.g. hosted in your IT provider’s data center facility) or public (such as Office 365, DropBox, where the service is hosted by a third party).
- Data security is less reliant on a single hardware device and will therefore be more easily recoverable if a device is lost, stolen or damaged.
- The management and maintenance of the hardware data storage platform is a third party’s responsibility.
- The provided data-center is highly secure and regular back-ups are in place, meaning your data is likely to be adequately safeguarded.
- Data stored in the Cloud can more easily be accessed from any location with an internet access making Cloud storage a flexible option, particularly useful if you want to enable your staff to work remotely.
- If you are using a Cloud service provided by a third party, this will mean that the security of your data is in their hands, so it’s important to ensure your data is secured appropriately because you can’t avoid responsibility for ensuring the security of the data you collect and store simply because you use a third party, Cloud-based storage provider.
- Though most popular third party Cloud based storage providers, being themselves caught under GDPR regulations, have GDPR policies that are readily accessible, you will still need to review such policies and verify you know where your data is located, how it’s stored and backed-up and the process involved if it ever needs to be destroyed.
- Similarly, your service agreement with your private Cloud provider needs to be reviewed and you’ll need to verify, for example, where your data is located, that there are adequate back-up procedures in place, how breach reporting would be dealt with, and under what circumstances they would seek your consent about the processing of your data.
So does it really matter where I store my data?
The simple answer is yes. Even though you are free to decide on your data storage method (either on premises or in the Cloud), you need to be aware of the advantages of one method over the other, and be mindful with your ongoing obligations under the GDPR. Failing which, fines and sanctions may be in your future!
HOW WE CAN HELP?
The Consultant Team of MLS Company Secretary can help you with:
- Reviewing policies and procedures.
- Drafting your Data Processing Agreement
- Reviewing existing contracts Staff training
- Identify operation vs legal questions and gather competitive fees estimates for legal advice if necessary
Hélène Canard-Duchêne (Singapore)
+65 9396 9193
Maëva Slotine (Hong Kong)
The material contained in this article is provided for general purposes only and does not constitute legal or other professional advice.