Anna Hee Ustvedt

How to make sure you are GDPR compliant - whether your leasing system is on-premise or in the cloud

When you work in the leasing industry, you have to collect and store various personally sensitive information on your customers - e.g., name, date of birth, income, address, email, social security number, etc. It is your responsibility that this data is processed in accordance with GDPR - even if the data is stored on servers outsourced to partners and vendors.

In this blog post, we dive into what you need to be aware of in relation to GDPR - whether your leasing system is on-premise, in a private cloud, or a public cloud.

leasing cloud

 

On-premise, private and public cloud

Let's start by clarifying what it means for your leasing system to be: on-premise, in a private cloud, or a public cloud, respectively.

With an on-premise solution, your leasing system is installed on a local server - you could also call it a local cloud - which is physically located within the walls of your company. Once the system is installed, you are responsible for ongoing maintenance and updates of the server. Therefore, you have complete control over your leasing system. Still, at the same time, you are responsible for the system to continuously work optimally, and this requires that you have the necessary IT skills.

If your leasing system is stored in a private cloud, the software is installed on a server outside your company - for example, with your software provider or with a hosting partner. You often know where the server is geographically located with a private cloud solution and who has access to it, but you do not have to invest in the hardware that will store the system. You access the leasing system via the Internet.

If your leasing system is located in a private cloud at Fiftytwo, for example, you choose to what extent you want to take care of maintenance and updates. If you want more control and have the necessary IT skills, you can choose to take care of it yourself. If, on the other hand, you want to free up time and resources, you can agree with us that we take care of the operation.

In a public cloud solution, everyone shares the same solution, as is the case with Facebook, which only exists in the cloud. The supplier is responsible for all service, maintenance, development, and server capacity and functionality. Similarly, Microsoft Dynamics 365 Business Central - which is the platform 52LEASING is built upon - offers in the public cloud, which means that you can subscribe to a complete financial system including operation, servers, and monitoring. This platform cannot handle highly integrated solutions such as 52LEASING, and Fiftytwo is therefore continuously working to develop the product to be ready for public cloud - when the public cloud is ready for 52LEASING.

 

Which solution is the most GDPR compliant?

For many who choose an on-premise solution, it is precisely about compliance. With an on-premise solution, you have full control over how your data is handled. In the leasing industry, where high-security requirements are set, it can be challenging to have confidence that others can live up to the same degree's security requirements. However, this belief is not always true. Suppose you do not have the necessary resources in-house. In that case, it may prove to be more secure to have a leasing system with a private or public cloud provider, with security competencies, which ensures that your system has regularly updated security.

 

What should you be aware of?

Whether your leasing system is on-premise, in a private cloud, or a public cloud, always make sure that only necessary data is stored and that data is deleted as soon as it is no longer necessary to store anymore.

If you choose to place your leasing system in a private or public cloud, it is important that you first familiarize yourself thoroughly with the cloud provider's data processor agreement. You are the data controller, and it is your responsibility that your customers' data is processed according to the GDPR. You are the data controller, and your cloud provider is the data processor.

The data processor agreement tells you how the data processor handles data on your behalf (the data controller). It is a legally binding document between you and your data processor. With a data processor agreement, you can ensure that your data is processed correctly and in accordance with the GDPR.

Suppose you are considering a cloud provider with a physical server outside the EU. In that case, it is important to pay extra attention to ensuring that the security level complies with the GDPR rules. This will often be the case, but it is necessary to be on the safe side and make it clear in a data processor agreement.

If you have decided to store your leasing system in a private cloud, you should enter into a clear agreement on your cloud provider's division of responsibilities. For example, who is responsible for updating security? If you want to leave the responsibility to your private cloud provider, it is a good idea to make sure that you get an overview of who exactly has access to the server.

 

Is your lease management system optimized for your business?