The EU General Data Protection Regulation (GDPR), passed by the EU Parliament, goes into effect on May 25, 2018, and is focused on the security of EU citizen personal data wherever that data is stored. GDPR defines entities that gather personal data for any business purpose as Data Controllers who must implement all the GDPR requirements. By this definition, PhaseWare is not a data controller. However, PhaseWare may be considered a Processor, depending on services subscribed.
Data Controllers may outsource some processing functions, such as data storage and transmission, to third parties known as Processors, but not their responsibility for the security of data and for monitoring entities that process the data. The relationship between Data Controllers and Processors is broadly similar to the relationship between Covered Entities and Business Associates in HIPPA.
PhaseWare’s responsibilities as a Data Processor are defined in our contracts and are limited to the logical and physical security in accordance with the services outlined in service agreements between PhaseWare and its customers. PhaseWare does not have a business need to view, modify, manipulate, transmit or otherwise use the personal data to deliver contracted services. PhaseWare is responsible for notifying a customer of a data breech impacting EU personnel without undue delay and no later than 72 hours under GDPR, and we have processes in place to meet this requirement. PhaseWare customers are responsible for:
Our Colocation sites undergo annual third-party audits, against various compliance frameworks that focus on the security and availability of the Data Center Services system. Their audit status and compliance requirements are part of their Service Level Agreement with PhaseWare. PhaseWare customers will need to determine whether their setup and own controls meet GDPR requirements.