<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=3220325061631064&amp;ev=PageView&amp;noscript=1">

How to make sure your lease management system is GDPR compliant


When you operate in the leasing industry, you have to collect and store sensitive personal information from your customers - e.g., name, date of birth, income, address, email, social security number, etc. It is your responsibility to process this data according to GDPR - even if the data is stored on servers outsourced to partners and vendors.

March 25, 2021
By Jan Johannes Kyhnæb

In this blog post, we dive into what you need to be aware of regarding GDPR - whether your lease management system is on-premise, in a private cloud, or a public cloud.

 

On-premise, private and public cloud

Let us start by clarifying what it means for your lease management system to be: on-premise, in a private cloud, or a public cloud.

With an on-premise solution, your lease management system is installed on a local server - you could also call it a local cloud - which is physically located within the walls of your company. Once the system is installed, you are responsible for ongoing maintenance and server updates. Therefore, you have complete control over your lease management system. At the same time, you are responsible for the system to work optimally continuously, and this requires that you have the necessary IT skills.

If your lease management system is stored in a private cloud, the software is installed on a server outside your company - for example, with your software provider or with a hosting partner. With a private cloud solution, you often know where the server is geographically located and who has access to it, but you do not have to invest in the hardware to host the system. You access the lease management system via the Internet.

If your lease management system is located in a private cloud - for example, at Fiftytwo - you choose to what extent you want to take care of maintenance and updates. If you want more control and have the necessary IT skills, you can take care of it yourself. If, on the other hand, you want to release time and resources, you can arrange with us that we take care of the operation.

In a public cloud solution, everyone shares the same solution. An example of such a case is Facebook, which only exists in the cloud. The supplier is responsible for all service, maintenance, development, and server capacity and functionality. Similarly, Microsoft Dynamics 365 Business Central - the platform 52LEASING is built upon - is offered in the public cloud, which means that you can subscribe to a complete financial system including operation, servers, and monitoring. This platform cannot handle highly integrated solutions such as 52LEASING. Fiftytwo is continuously developing the product to be ready for the public cloud - when the public cloud is prepared for 52LEASING.

 

Which solution is the most GDPR compliant?

The reason for choosing an on-premise solution is often centered around compliance. With an on-premise solution, you have complete control over how your data is handled. In the leasing industry, where the security requirements are high, it can be challenging to be confident that others can live up to the same degree's security requirements as yourself. However, this belief is not always true. Imagine you do not have the necessary resources in-house. In that case, it may be more secure to have a lease management system hosted at a private or public cloud provider with security competencies, which ensures that your system is regularly security updated.

 

What should you be aware of?

Whether your lease management system is on-premise, in a private cloud, or a public cloud, always make sure that only necessary data is stored and that data is deleted as soon as it is no longer required to store.

If you choose to host your lease management system in a private or public cloud, it is essential that you first acquaint yourself thoroughly with the cloud provider's data processor agreement. You are the data controller, and it is your responsibility that your customers' data is processed according to the GDPR. You are the data controller, and your cloud provider is the data processor.

The data processor agreement tells you how the data processor handles data on your behalf (the data controller). It is a legally binding document between you and your data processor. With a data processor agreement, you can ensure that your data is processed correctly and in accordance with the GDPR.

If you consider a cloud provider with a physical server outside the EU, t is essential to ensure that the security level complies with the GDPR rules. This will often be the case, but it is necessary to be on the safe side and make it clear in a data processor agreement.

If you have decided to host your lease management system in a private cloud, you make an explicit agreement on the division of responsibilities between you and your cloud provider. For example, who is responsible for updating security? If you want to leave the responsibility to your private cloud provider, it is a good idea to make sure that you get an overview of who exactly has access to the server.

 

New call-to-action