The EU General Data Protection Regulation ("GDPR") places significant responsibilities on organisations that process personal data. We are committed to being compliant with GDPR, including helping our customers meet their GDPR obligations. Many of our customers make use of the ArcGIS platform to manage spatial data that may include personal data.
The ArcGIS platform includes many tools and capabilities that can enable customers to address their GDPR obligations, and this document highlights those, as well as other aspects of how GDPR may influence the use of GIS, the deployment of the ArcGIS Platform and the interactions customers may have with us and/or Esri Inc
GDPR is effective from 25 May 2018. It sets out the rights of individual Data Subjects with respect to their personal data, and the responsibilities of those who process personal data as either a Data Controller or a Data Processor. All Data Controllers and Data Processors must be compliant with GDPR. ArcGIS is used by many of our customers to manage, process and analyse a wide range of data, which could include personal data. This raises questions as to how our customers can use ArcGIS to meet their responsibilities under GDPR, and how we are addressing such questions. This document answers the key questions that customers have raised with us to date about their use of ArcGIS and their interactions with us and Esri Inc.
GDPR is complex and there is plenty of information available that discusses this in detail. In the UK, the Information Commissioners Office (ICO) is responsible for ensuring that organisations comply with GDPR and provide guidance to those organisations about their responsibilities. The ICO’s guidance and information can be found via the ICO website. In Ireland the Data Protection Commissioner is responsible, and their guidance can be found at their website.
ArcGIS and GDPR
ArcGIS* is a platform for managing, analysing and visualising spatial data, and as such it contains many different components. The following sections outline how ArcGIS can help you in meeting the requirements of GDPR. If you are using ArcGIS to manage personal data, then the following questions are important.
- What technological security measures are available to ensure data security?
- What tools are available to identify what data is personal data?
- What tools are there to correct inaccurate or incomplete personal data?
- What tools are there to remove or delete personal data?
- What tools are there to restrict the processing of personal data?
- What tools are there to enable personal data to be extracted in a machine-readable, commonly used and structured form?
* The ArcGIS platform is proprietary to Environmental Systems Research Institute, Inc (“Esri Inc”), a corporation located in the United States of America. We are Esri Inc’s authorised distributor of the ArcGIS platform to end users in Great Britain (Esri UK) and Ireland (Esri Ireland).
ArcGIS On Premises Deployment
Many organisations deploy and manage ArcGIS software on their own infrastructure, which may include infrastructure owned by a third party such as a cloud infrastructure provider. In this scenario you are responsible for meeting your GDPR obligations. You may also need to liaise with your infrastructure provider to understand their GDPR compliance as a Data Processor (or sub-processor, as applicable).
A typical deployment of ArcGIS on Premises would include ArcGIS Enterprise components and ArcGIS desktop tools such as ArcGIS Pro or ArcMap. If you are managing personal data it is likely that you are also making use of a relational database (RDBMS) such as Oracle, SQL server or Postgres to store and manage that data. You can decide if and how to store personal data within the system and it is your responsibility for ensuring that you meet any applicable requirements of GDPR.
Esri Managed Software: ArcGIS Online
ArcGIS is available as Software-as-a -Service (SaaS) in the form of ArcGIS Online, in this scenario you remain the Data Controller for any personal data that you choose to store in ArcGIS Online. However, Esri Inc is a Data Processor in this case, and there are additional sub-processors that are used in providing the ArcGIS Online service to you.
ArcGIS Online Infrastructure is hosted in data centres located in the United States of America, including those of Esri Inc, Microsoft Azure and Amazon Web services. Any personal data stored in ArcGIS Online may be transferred to those data centres.
All the tools previously discussed also apply to ArcGIS Online, allowing you as the Data Controller to manage what personal data you choose to store in ArcGIS Online. You can continue to manage this data in the same way that you would in an on-premises solution.
Any use of ArcGIS Online will require you to create user accounts, and the user profile data associated with these will be stored within ArcGIS Online. This data is used for the purposes of ensuring security and providing the service to you and is governed by the security and privacy controls discussed below. You can manage users by linking to an enterprise Identity management system such ADFS, or by using the user management tools discussed in the previous section.
Esri Inc has published several documents which relate to this, and which can be found via the following links:
- Document entitled: “ArcGIS Online: A Security, Privacy & Compliance Overview”
- The following link provides information relating to the security of the ArcGIS platform generally, and specific information relating to privacy and compliance information: Trust ArcGIS
- The following link contains Esri Inc’s contractual provisions for where its Online Services or maintenance are provided, and where EU personal data is provided to Esri Inc. See document entitled “Data Processing Addendum”.
Legal Information | European Union General Data Protection Regulation
Esri UK’s Online Services: Software as a Service
Esri UK host a number of cloud based applications that build on top of ArcGIS Online including QuestionWhere, MyNearest and sweet. These applications are all designed to make use of ArcGIS Online, and so the privacy and security measures of ArcGIS Online are relevant in this case. Any data that you choose to collect through the use of these applications can be managed using the relevant tools discussed in the previous sections.
These applications are hosted on Esri UK’s AppHub Hosting environment, which is running on the AWS cloud. Esri UK hosted applications do not collect or store any information provided by users of the applications, however Esri UK do log information generated during the operation of the service, such as web logs and IP addresses, we use this information for tracking errors and delivering a scalable, secure and reliable service.
Esri UK and Esri Ireland Managed Services
Esri UK and Esri Ireland’s Managed Services Teams provide services to host and run an organisations ArcGIS Infrastructure in the cloud. This infrastructure will be operated in our cloud service providers’ infrastructure. Each deployment will differ depending on an organisations requirements, but it provides the capability to deploy a managed ArcGIS system within EU data centres, helping an organisation tailor their GIS solution, for instance where the organisation prefers to keep personal data within the EU.
Each organisation that deals with personal data needs to ensure that they address any issues that GDPR raises. If you choose to store personal data in the ArcGIS platform then you remain responsible for that data and how it is managed and used within the system. ArcGIS is a powerful platform for helping with the task of managing personal data, and provides tools and capabilities that can address some of the specific requirements of GDPR.
If you utilise cloud services as part of your ArcGIS system, whether that is infrastructure provided by us, Esri Inc or another third party, or by utilising software as a service, then it is important that you understand how that impacts your responsibilities under GDPR. We, Esri Inc and our third-party Data Processors (or sub-processors) provide both technical and contractual measures to enable you to meet your GDPR requirements, as well as addressing those requirements for our own operations.