5.7 Data protection at Data Provider

It is imperative that any organisation hosting IP classified or personal data document its data management processes. The term Data Provider include any infrastructure where data is stored in the long term and can mean a data repository or a data space connector. Depending on the classification of the data, different precautions might have to be taken. If the data include personal identifiable data or confidential data, stronger requirements need to be formulated. The data handling needs to be documented and there are frameworks that could be considered (if not already established) to ensure that the necessary processes are documented and traceable. For example, ISO 9001:2008 for Quality management systems, ISO/IEC 27001:2013 for Information security management, ITIL (IT Infrastructure Library), or the UK initiative Cyber Essentials could be used. Additionally, similar (although not formally acknowledged) quality assurance procedures might also be suitable; the most important consideration is that the organisation reflects on data security and access – and implements routines that ensure data protection.

It is important that third-party organisations (e.g., a cloud-based data-hosting company or a third-party organisation managing parts of the IT infrastructure) comply with the requirements GDPR addresses this in Art. 28 and Art. 29, and that these are documented.

It is also stated in GDPR Art. 35, that any organisation managing personal data must make an impact assessment on the risk in case of a data breach.

The Data Provider must address data protection measures and document the data-protection implementation. An overview of topics to address is described in Table 15

Table 15: Data Provider data-protection documentation

OverviewPresenting the scope for data hosting, handling, and processing.Defining the start and end date (if applicable) for data hosting.Providing a description of the organisational structure.Providing an overview of personnel who will have access to data.
LegalAnalysing the responsibilities in the context of data protection and privacy issues, including GDPR and national legal compliance. What legal issues must be handled, and how will this be done? Consider formulating a Data Protection Impact Assessment (DPIA) if applicable. Describing relevant contracts/agreements and the impact on data usage, publication, and further data sharing/exchange.
Status, implementation and assessmentProviding status of the described implementation; is it planned or already implemented? Provide time plan with technical details where applicable.Providing disaster recovery plan with risk assessments.Providing incident response plan for data security breaches with risk assessments.Providing relevant internal routines/guidelines, as well as training for personnel.Describing how data is protected from unauthorized (physical and logical) access. Describing how data can be securely transmitted from Data Provider to Data Consumer. Describing how data is protected from accidental deletion (see appendix A.3). Describing the principles for how data access is granted and which agreements that need to be in place.Describing the usage of the Data Management Plan as a mean to plan for data preservation and handling after a project has ended.