Qubole has been preparing for GDPR—Europe’s General Data Protection Regulation. We were founded by real-world operators who understand that security, confidentiality, and data privacy are fundamental to our mission and our commitment to a customer-first culture. We understand the complexities of GDPR compliance and we’re dedicated to helping ensure your success and GDPR readiness by defining boundaries and minimizing your risk. Our platform was originally designed to separate the orchestration of your big data workloads from the compute and storage of your data in your cloud provider account. This effectively minimizes the amount of data sharing and lowers your risk exposure.
What is the GDPR?
GDPR is a new set of data privacy regulations designed to harmonize various data privacy laws across the EU to create a common set of regulations for protecting EU residents’ personal data. GDPR not only applies to companies that process the personal data of protected individuals, and have a presence in the EU (e.g. offices), but also to companies that do not have any presence in the EU but target individuals within the EU. Your company should carefully assess whether they are subject to the GDPR. The GDPR takes effect on May 25, 2018.
What does my company need to do about GDPR if we’re using Qubole?
If your company determines that you’re subject to GDPR regulations and you’re using Qubole, please read our new Data Processing Addendum (DPA). This document satisfies the contractual requirements of GDPR.
What are the key requirements of the GDPR?
The GDPR is daunting in its complexity and scope (there are 99 articles in total), but there are seven key principles that govern data collection processes.
- Lawful, fair, and transparent processing–emphasizing transparency for data subjects.
- Purpose limitation–legitimate purpose for processing the information in the first place.
- Data minimization–making sure data is adequate, relevant, and limited, and Qubole is capturing the minimum amount of data needed to fulfill the specified purpose.
- Accurate and up-to-date processing–requiring data controllers to make sure information remains accurate, valid, and fit for purpose.
- Limitation of storage in a form that permits identification–discouraging unnecessary data redundancy and replication.
- Confidential and secure–protecting the integrity and privacy of data by making sure it’s secure (which extends to IT systems, paper records, and physical security).
- Accountability and liability–demonstrating compliance.
We’re all in this together!
Qubole believes in a shared responsibility business model. Qubole is responsible for the security of the platform. We also ensure that the orchestration layer and how we access the compute and storage is secure and efficient.
You are responsible for the security of your data by using Identity and Access Management policies that support least privilege to ensure that only the necessary entities and personnel in your organization have access to the data and functions that they need. Your cloud provider (AWS, Azure, or Google) is responsible for providing the tools, services, and functionality that enable both Qubole and you to be successful.
Data Controller vs. Data Processor Responsibilities
Clarifying the roles. You (and your company) act as the Data Controller for all data that you are processing within Qubole. Qubole acts as a Data Processor for you with one exception; the data about you and your fellow employees. In this case, Qubole acts as the Data Controller. Please see our new Qubole DPA. This document outlines how we’re helping you meet your obligations regarding the handling of personal data.
Qubole Security & Feature Updates for GDPR
Qubole is continually implementing best practices to safeguard the service we provide. We understand that you use Qubole to achieve success with your big data jobs and workloads, and we are always looking for ways to improve and streamline those processes.
- Qubole has already completed SOC2 and EU-US Privacy Shield and is on track this year for ISO-27001 which has a direct emphasis on international compliance and governance.
- Qubole supports updates to the data where we act as Data Controllers (you and your coworker’s email addresses and names and the IP addresses where you are accessing Qubole from) and we have deployed encryption for the sensitive and confidential information.
- Qubole also fully supports Data Subjects’ rights to have inaccurate information updated, the indexing and reporting of all data held by Qubole, and finally the right to delete data that doesn’t harm your ongoing use of the Qubole Data Service.
Please visit our GDPR page and GDPR brief for more details about our GDPR compliance efforts and our recommendations for customers.