GDPR Compliance with Wasabi
Organizations subject to the GDPR can use Wasabi to store and maintain personal data.
Wasabi is an affordable and fast cloud storage service. Businesses and institutions use Wasabi hot cloud storage for a variety of purposes including primary storage for application data and content, secondary storage for backup or disaster recovery, and archival storage for long-term data and record retention.
This white paper provides a brief overview of the use of the Wasabi service in light of the GDPR.
GDPR was enacted in 2016 to strengthen and unify data protection for individuals within the European Union. The mandate is intended to provide citizens greater control over their personal data and to improve the flow of personal data within the EU. GDPR also regulates the export of personal data outside the EU (but does not require that personal data be stored within the EU).
GDPR went into effect on May 25, 2018, supplanting the existing European Data Protection Directive (95/46/EC Directive). The new regulation applies to any organization that has a presence in the EU or that offers goods or services in the EU.
Important GDPR terminology includes:
- Data controller – an organization that collects or provides data regarding EU residents (e.g. a Wasabi customer)
- Data processor – an organization that processes data on behalf of a data controller (e.g. a cloud provider such as Wasabi)
- Data subject – a person living in the European Union
- Personal data – any personally identifiable information relating to a data subject (e.g. name, identification number, location data, online identity)
GDPR imposes strict data privacy and security rules for both data controllers and data processors. The mandate requires appropriate safeguards to protect the privacy of personal data, and defines consent rules for disclosing personal data. GDPR also grants individuals the right to examine, amend, correct and delete personal records.
Key GDPR data privacy and security provisions include:
- Articles 15, 16 and 17 – rights of access, rectification and erasure – give data subjects tight control over their personal data
- Articles 20 – rights to data portability – grants individuals the right to transfer personal data from one electronic processing system to another
- Article 25 – data protection by design and default – requires data controllers to implement appropriate technical and organizational measures to safeguard personal data
- Article 32 – security of processing – requires the “pseudonymization” and encryption of personal data
- Articles 33 and 34 – notice of a personal data breach – requires data controllers to notify supervisory authorities and data subjects of personal data leakage