The fact that the software industry is constantly under development makes it a fascinating area of expertise. The largest development of recent (and coming) years is, without doubt, the transition to the Cloud. This marks a significant change – not just in technology but also in the role of software suppliers in information management. At the same time, our field is fully focused on the General Data Protection Regulation (AVG in Dutch) and the roles that suppliers should play in data protection.
I am as passionate about law as I am about IT and happy to have the opportunity to combine these two areas in my work as a legal expert at Decos and in my blog. In the first capacity, I support the Association of Netherlands Municipalities (VNG) in working out various guidelines related to privacy. In addition, we are often asked about the role of the supplier: who is responsible for what, exactly?
As an on-premise supplier, are you a processor in the framework of the AVG?
Most municipalities still operate on-premise, which means they run their own ICT infrastructure and store the data themselves. This makes the municipality responsible for the storage, management and security of the data, including any personal data. As a software supplier, we must supply the right tools and ensure councils can properly carry out and safeguard this management role. We supply the software but not the services for data management. As a result of the discussions with Decos, VNG will be publishing a new factsheet. Read more about the results of the debate between software suppliers and municipalities in version 1.1 here.
“Our consultants obviously come into contact with data from the municipality.
Does that make us a processor when working on-premise?”
Everything changes when we enter the Cloud. In these cases, we not only supply the software, but also manage client data. We store and secure data and are responsible for its ultimate removal. In other words, we supply software as a service. Under the AVG, this service involves the processing of personal data on behalf of the municipality. This makes us a processor. Data from Cloud clients, including municipalities, is stored in Azure. And, as the client is paying us to store data, we are the data processor. This makes data management our explicit responsibility.
More and more municipalities in the Cloud
When purchasing JOIN, companies increasingly choose to work in the Cloud. This means that our responsibility for managing personal data will increase. We are managing more and more data while the number of Cloud clients expands. Decos is market leader in case systems and client contacts. This is very important to us so we continue to invest in our knowledge in these fields and have several privacy specialists in the company. Although we are still on the side line, our role as a software supplier is expanding and we can give clients the relevant advice. Our primary task is to develop and maintain software, while our secondary task is to keep working on data protection and take our responsibility herein. As the move into the Cloud goes hand in hand with a shift from product supplier to service provider, there will be plenty of changes for the software suppliers of today and tomorrow.
For more information on privacy legislation in the Netherlands, visit my blog (Dutch only).