Story image

How GDPR changes the game for cloud service providers

23 Feb 2018

Article written by Talend A/NZ country manager Steve Singer

The effect on businesses of the European General Data Protection Regulation (GDPR) has been widely discussed in recent months, but what has received less attention is the impact of the new laws on cloud platforms.

When GDPR comes into force on May 25, it will require organisations holding personal data to enforce privacy principles. As well as data stored internally, this requirement will cover any external parties that might share or process the data on the organisation’s behalf. Cloud providers fall squarely into this category.

So, what steps does a business using cloud platforms need to take to ensure they can meet the new requirements? How can they be sure they will be able to comply before the May deadline?

Cloud responsibility

Many organisations are of the belief that responsibility for data stored on a cloud platforms rests with the service provider.  Indeed, a Vanson Bourne 2017 study commissioned by Veritas found that global business and IT decision makers wrongfully believe data protection, data privacy and compliance are the responsibility of the cloud service provider.

Companies are grappling with GDPR compliance during a time of rising security concerns following some recent massive data breaches such as Equifax and Alteryx/Experian that reinforce the importance of data accountability. Under GDPR, data responsibility sits firmly with the data controller – the organisation that collects the personal data in the first instance and then cascades across the other stakeholders when they process it.

A knee-jerk reaction to this might be to avoid using cloud storage for personal data and turn to on-premise storage instead. Some might opt to adopt a hybrid architecture where non-sensitive data is held on a cloud platform and personal data on in-house servers.

Other organisations might instead consider the cloud to be the most effective and secure way to meet the challenges of new data privacy legislation. However, they will then need to be more thorough in their cloud procurement process, to make sure both parties understand the risks, responsibilities, and requirements that need to be fulfilled.

Some organisations might not even have the ability to proactively choose between the two strategies to their legacy systems. According to the Cloud Industry Forum, an average European company is effectively using 608 cloud apps, but due to shadow IT, is underestimating this number by 90%. A similar situation could well exist in other regions.

Thorough assessment is key

Making sure that all the cloud applications that hold personal data are referenced becomes the first and foremost challenge.  Organisations need to crawl their entire data infrastructure to create and maintain a constant and accurate map of their data.

Then, they need to pay particular attention when it comes to third-party systems such as CRM, HR, infrastructures or platforms as-a-service that are based in the cloud. This will be especially important as they would then need to assess the GDPR readiness of their cloud provider as a data processor and make sure their contract includes a data processing agreement.

Similarly, data controllers need to ensure that they can erase the data from their cloud providers when they stop using the cloud service.  As consumers will be able to request information on, or the deletion of, all the personal data a company has about them, the data controller has to ensure that they can meet this kind of requirement through their cloud provider.

Establishing liability

An organisation also needs to clearly define the balance of liability in the event of a data breach. While under GDPR, the data controller (the organisation that processes the data that they captured from their data subjects) is ultimately responsible for reasonably preventing and reporting data breaches, organisations should be looking to ensure their data processor (the cloud service provider), is contractually required to also take responsibility for the safety and security of stored data.\

This is particularly important in terms of the data controller’s responsibility to notify the supervisory authority within 72 hours of any data breach. This will require cloud providers to ensure they are notifying organisations of any security threat as quickly as possible.

Organisations will also need to take a far more active interest in the physical location of their cloud provider’s data centres. Under GDPR, there are only a few specific countries outside the EU that are authorised for the storage of EU citizens’ data. It will be essential for organisations to work with cloud providers who can provide clear and transparent location information for their data storage.

Ongoing cloud usage

Providing an organisation is working with a reputable cloud provider, and once data governance principles have been established, the cloud can remain a suitable place for storing personal data and maintaining GDPR compliance.

Indeed, many cloud providers have already paved the road to GDPR support, so working with those knowledgeable cloud providers can help organisations fast-track their compliance. Nonetheless, ensuring familiarity with a chosen provider’s GDPR policies and strategy will be crucial.

GDPR represents a significant change to how organisations deal with personal data. Comprehensive measures to ensure that they know what data is being stored and where is vital, and this is particularly important when cloud platforms are involved.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.