General Data Process Regulation

Frequently Asked Questions

What Exactly is GDPR?

GDPR is the General Data Protection Regulation, an expansive EU regulation designed to ensure the safety and privacy of individual’s personal information. Even though it is an EU regulation, any company which works in the EU must ensure full compliance. It came into effect on May 25th, 2018.

What are the Key Requirements?

Individuals have greatly enhanced rights concerning company usage of their personal data. Any personal data that companies store or use must be done with the consent of the individual, and must be able to be supplied or deleted at the individual’s request.

Compliance can also be regulated, with authorities able to inspect how personal data is stored and used. Companies found not to be complying with GDPR could face a fine of up to 4% of their annual global revenue or €20 million (whichever is larger).

For a more comprehensive deep-dive on GDPR, check out the ICO’s guide to GDPR.

What Steps has Spot taken to Ensure GDPR Compliance?

Naturally, we’ve been looking into GDPR ever since it was legislated. Like everyone, we were keen to find out if or how it would affect our services and what we would have to do to be completely compliant.

At the bottom of this page, you can find our 12 step process for GDPR compliance, suggested by the ICO, making clear the steps we’ve already taken.

Does Spot Use or Store any Personal Data?

Our products only store data that is required for normal operation of our platform. No personal data is stored outside of names and emails for login, invoicing and support reasons.

The data our products save is not related to a specific user/individual but rather to a whole cloud provider account. As this is neither personal data nor could be used to identify an individual, it will not be affected by GDPR.

Apart from this, our marketing department does store email addresses to inform users of new products which they might find useful and roll out newsletters. Our consent process for these emails is fully compliant with GDPR and all marketing emails have a clear unsubscribe link. Customers wishing for all marketing contact details to be modified, reviewed or deleted should email gdpr@spot.io.

Does GDPR Have any Direct Effects on Spot Products?

No, our products will still function as they always have. We don’t store any personal or identifiable data from the servers we manage. We have visibility of server names only and this data is not stored nor does it need to be stored on our servers. This means that all your data is stored by your Cloud Service Provider, not by Spot.

To check up on some of the largest CSPs and their relationship with GDPR, see:

AWS: https://aws.amazon.com/blogs/security/aws-and-the-general-data-protection-regulation/

Azure: https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx

GCP: https://privacy.google.com/businesses/compliance/#?modal_active=none

What is the Impact on Spot’s Customers?

Spot customers will not be affected. Spot already takes steps to ensure data privacy and security of personal data. You can review a brief guide on our data protection policies here.

Does GDPR Have an Impact on any Spot Products?

Spot’s products don’t store any personal or identifiable data from the servers we manage. We have visibility of server names only and this data is not stored nor does it need to be stored on our servers. This means that all your data is stored by your Cloud Service Provider, not by Spot.

To check up on some of the largest CSPs and their relationship with GDPR, see:

AWS: https://aws.amazon.com/blogs/security/aws-and-the-general-data-protection-regulation/

Azure: https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx

GCP: https://privacy.google.com/businesses/compliance/#?modal_active=none

How Much Personal Data does Spot Use and Store?

Our products only store data that is required for normal operation of our platform. No personal data is stored besides private names and emails for login, invoicing and support reasons.

The data our products save is not related to a specific user/individual but rather to a whole AWS account. As this is neither personal data nor could be used to identify an individual, it will not be affected by GDPR.

Apart from this, our marketing department does store email addresses to inform users of new products which they might find useful and roll out newsletters. Our consent process for these emails is fully compliant with GDPR and all marketing emails have a clear unsubscribe link. Customers wishing for all marketing contact details to be modified, reviewed or deleted should email gdpr@spot.io.

I’ve heard GDPR might have an impact on companies using big data analytics. Will GDPR have an impact on any data analysed by Spot’s algorithms?

No, this data is not personal information so isn’t impacted by GDPR.

All of the data we use is associated with servers and private IPs, meaning that our information could never be used to identify a person. It is metadata such as “m4.xlarge was interrupted in AZ X region Y at time Z”. As it can’t be used to identify a person, either directly or indirectly, it will not be affected by GDPR.

What Protection does Spot have against Data Breaches?

Security is paramount for Spot. As such, we employ numerous security measures to ensure that our products and services are completely secure. You can read more about this on our Data Privacy and Security Page.

Does using Spot affect my company’s GDPR compliance?

Nope!

Spot’s Journey on the ICO’s “12 Steps to Take Now” for GDPR Compliance

Here is our GDPR progress roadmap, following the ICO’s “Preparing for the General Data Protection Regulation (GDPR) – 12 Steps to Take Now”, which can be found here.

1. Awareness you should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.

We have been looking into GDPR for months, making sure that our position is clear and completely in adherence with GDPR, from our CEO down to our regional business teams.

2. Information you hold – you should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.

All information we hold is either contact details needed for invoicing or technical support (covered by Article 6(1b)) or email lists for any marketing material on new blogs, integrations and products Spotinst offers. All customers have the ability to opt out.

3. Communicating privacy information – You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.

Marketing emails can be unsubscribed to quickly and simply by following the “unsubscribe” link at the bottom of every marketing communication.

4. Individuals’ rights You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

As we do not store much personal information, any requests (for the details held by our marketing teams) can be dealt with quickly and simply. Please email gdpr@spot.io to request and information to be deleted or modified.

5. Subject access requests – you should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.

As above, please email gdpr@spot.io to request and information to be deleted or modified.

6. Lawful basis for processing personal datayou should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.

Our invoicing details are covered, as mentioned, by Article 6(1b) and our marketing details are fully compliant with GDPR following any customer opt-ins or deleted in the case of opting-out.

7. Consent you should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.

We have reviewed our consent policy and believe that we do all we can to be clear, secure and compliant at all stages.

8. Children you should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.

None of the data we have pertains to children.

9. Data breaches you should make sure you have the right procedures in place to detect, report and investigate a personal data breach.

As the only data we store is contact details, any data breaches will not have to be reported to regulation authorities (Article 33(1) states that data breaches will not have to be recorded unless the breach is likely to result in a risk to the rights and freedoms of individuals, which it would not. Despite this, our security on any data we store for any client is, as always, our top priority. As such we have protected ourselves from data breaches through firewalls.

10. Data Protection by Design and Data Protection Impact Assessments you should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.

Due to the way our company conducts business (holding as little personal information as possible) we have been conceived with data protection in mind, always looking to minimise client anxiety about the handling and storing of their data.

11. Data Protection Officers You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.

While our company does not meet the requirements for a DPO (under Article 27(2a)), our CTO conducts quarterly assessments on our data systems to ensure compliance and security is not compromisable.

12. International If your organisation operates in more than one EU member state, you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this

Our company operates mainly in Israel, the US and the UK, with each regional team reporting to their national supervisory authority. Our lead supervisory authority is in Israel.