GDPR: Guidance on the ArcGIS Platform

Summary

The EU General Data Protection Regulation (“GDPR”) places significant responsibilities on organisations that process Personal Data.  We are committed to being compliant with GDPR, including helping our customers meet their GDPR obligations.

ArcGIS and GDPR

ArcGIS* is a platform for managing, analysing and visualising spatial data, and as such it contains many different components. If you are using ArcGIS to manage Personal Data, then the following questions are important:

  • What technological security measures are available to ensure data security?
  • What tools are available to identify what data is Personal Data?
  • What tools are there to correct inaccurate or incomplete Personal Data?
  • What tools are there to remove or delete Personal Data?
  • What tools are there to restrict the processing of Personal Data?
  • What tools are there to enable Personal Data to be extracted in a machine-readable, commonly used and structured form?
  • How can I notify users of Apps I deploy about my privacy policy?

We have addressed each of these issues in more detail in a document available on our website: https://www.esriuk.com/en-gb/legal/gdpr/guidance-on-the-arcgis-platform.

In addition to the above, consideration also needs to be given to the following:

ArcGIS On Premises Deployment

Many organisations deploy and manage ArcGIS software on their own infrastructure, which may include infrastructure owned by a third party such as a cloud infrastructure provider.  In this scenario you are responsible for meeting your GDPR obligations.  You may also need to liaise with your infrastructure provider to understand their GDPR compliance as a Data Processor (or sub-processor, as applicable).

A typical deployment of ArcGIS on Premises would include ArcGIS Enterprise components and ArcGIS desktop tools such as ArcGIS Pro or ArcMap.  If you are managing Personal Data it is likely that you are also making use of a relational database (RDBMS) such as Oracle, SQL server or Postgres to store and manage that data. You can decide if and how to store Personal Data within the system and it is your responsibility for ensuring that you meet any applicable requirements of GDPR.

To find out more about the tools, please see https://www.esriuk.com/en-gb/legal/gdpr/guidance-on-the-arcgis-platform.

Esri Managed Software: ArcGIS Online

ArcGIS is available as software as a service in the form of ArcGIS Online, in this scenario you remain the Data Controller for any Personal Data that you choose to store in ArcGIS Online, however Esri Inc is a Data Processor in this case, and there are additional sub-processors that are used in providing the ArcGIS Online service to you.

ArcGIS Online Infrastructure is hosted in data centres located in the United States of America, including those of Esri Inc, Microsoft Azure and Amazon Web services.  Any Personal Data stored in ArcGIS Online may be transferred to those data centres.

To find out more about the tools, please see https://www.esriuk.com/en-gb/legal/gdpr/guidance-on-the-arcgis-platform.

Esri UK’s Online Services: Software as a Service

Esri UK host a number of cloud based applications that build on top of ArcGIS Online including QuestionWhere, MyNearest and sweet.  These applications are all designed to make use of ArcGIS Online, and so the privacy and security measures of ArcGIS Online are relevant in this case.  Any data that you choose to collect through the use of these applications can be managed using the relevant tools discussed in the previous sections.

These applications are hosted on Esri UK’s AppHub Hosting environment, which is running on the AWS cloud.  Esri UK hosted applications do not collect or store any information provided by users of the applications, however Esri UK do log information generated during the operation of the service, such as web logs and IP addresses, we use this information for tracking errors and delivering a scalable, secure and reliable service.

Esri UK Managed Services

Esri UK and Esri Ireland’s Managed Services Teams provide services to host and run an organisations ArcGIS Infrastructure in the cloud.  This infrastructure will be operated in our cloud service providers’ infrastructure.  Each deployment will differ depending on an organisations requirements, but it provides the capability to deploy a managed ArcGIS system within EU data centres, helping an organisation tailor their GIS solution, for instance where the organisation prefers to keep Personal Data within the EU.

Conclusion

Each organisation that deals with Personal Data needs to ensure that they address any issues that GDPR raises.  If you choose to store Personal Data in ArcGIS then you remain responsible for that data and how it is managed and used within the system.  ArcGIS is a powerful platform for helping with the task of managing Personal Data, and provides tools and capabilities that can address some of the specific requirements of GDPR.

If you utilise cloud services as part of your ArcGIS system, whether that is infrastructure provided by us, Esri Inc or another third party, or by utilising software as a service, then it is important that you understand how that impacts your responsibilities under GDPR.  We, Esri Inc and our third-party Data Processors (or sub-processors) provide both technical and contractual measures to enable you to meet your GDPR requirements, as well as addressing those requirements for our own operations.