In our office in Cork, Ireland – the postman (normally it’s a woman) comes into our office to deliver the post. It’s nice, we chat etc…in an increasingly electronic world the human touch is always appreciated. This week a new postman delivered the post, Finbarr. He knew one of my colleagues and they chatted a bit. When he left, my colleague told me that Finbarr had recently written a children’s book.
I was impressed and keen to support Finbarr’s initiative I went online and bought “Little Cat Moe”. http://littlecatmoe.com
Nice story – yes. But here is where it gets tricky.
I applied the GDPR to the transaction. The above website's online store appears to be on the Yola Inc platform (www.yola.com). A company based in San Francisco with offices in South Africa and Ukraine. They have over 8 million registered users. A decent sized operation and a good choice by Finbarr. Yola Inc is the processor of my personal data. Finbarr is the controller. Thus, he is accountable for what happens with my data. My quick analysis highlights the following concerns for the controller:
- Yola Inc does not appear to have any presence in Europe. If not, do they have a Representative in the EU? This is not clear.
- The personal data is probably hosted outside of Europe.
- The personal data is probably also processed in South Africa and Ukraine. These are both third countries. So international data transfers need to be addressed here.
- Does Yola use any sub-processors? It is not clear from their website.
- I have done a search for GDPR in Yola’s support and got no results
The Processor Responsibility?
Yola Inc will need to have a Representative in the EU or a physical presence. Article 27 clearly states that this is not needed only when the processing of data is ‘occasional’. As Yola Inc has over 8 million registered users, this would clearly not be deemed as ‘occasional’.
Where does the buck stop?
With the controller, Finbarr. You cannot outsource accountability. However, form a business and practical perspective, I think the processor should lead here. Finbarr has managed to publish a really nice children's book. He is entitled to expect that if he chooses a well-established service provider like Yola – then they will be GDPR ready (and they could be - the deadline is May 2018). I really feel that the onus is on the service providers, the processors, to get GDPR ready and then communicate this to their customers like Finbarr. This should be part of the service. Support small business owners who show the initiative to create something new and then sell it online.