How GDPR changes the game for cloud service providers
The effect on businesses of the European General Data Protection Regulation (GDPR) has been widely discussed in recent months, but what has received less attention is the impact of the new laws on cloud platforms.
When GDPR comes into force on May 25, it will require organisations holding personal data to enforce privacy principles. As well as data stored internally, this requirement will cover any external parties that might share or process the data on the organisation's behalf. Cloud providers fall squarely into this category.
So, what steps does a business using cloud platforms need to take to ensure they can meet the new requirements? How can they be sure they will be able to comply before the May deadline?
Cloud responsibility
Many organisations are of the belief that responsibility for data stored on a cloud platforms rests with the service provider. Indeed, a Vanson Bourne 2017 study commissioned by Veritas found that global business and IT decision makers wrongfully believe data protection, data privacy and compliance are the responsibility of the cloud service provider.
Companies are grappling with GDPR compliance during a time of rising security concerns following some recent massive data breaches such as Equifax and Alteryx/Experian that reinforce the importance of data accountability. Under GDPR, data responsibility sits firmly with the data controller – the organisation that collects the personal data in the first instance and then cascades across the other stakeholders when they process it.
A knee-jerk reaction to this might be to avoid using cloud storage for personal data and turn to on-premise storage instead. Some might opt to adopt a hybrid architecture where non-sensitive data is held on a cloud platform and personal data on in-house servers.
Other organisations might instead consider the cloud to be the most effective and secure way to meet the challenges of new data privacy legislation. However, they will then need to be more thorough in their cloud procurement process, to make sure both parties understand the risks, responsibilities, and requirements that need to be fulfilled.
Some organisations might not even have the ability to proactively choose between the two strategies to their legacy systems. According to the Cloud Industry Forum, an average European company is effectively using 608 cloud apps, but due to shadow IT, is underestimating this number by 90%. A similar situation could well exist in other regions.
Thorough assessment is key
Making sure that all the cloud applications that hold personal data are referenced becomes the first and foremost challenge. Organisations need to crawl their entire data infrastructure to create and maintain a constant and accurate map of their data.
Then, they need to pay particular attention when it comes to third-party systems such as CRM, HR, infrastructures or platforms as-a-service that are based in the cloud. This will be especially important as they would then need to assess the GDPR readiness of their cloud provider as a data processor and make sure their contract includes a data processing agreement.
Similarly, data controllers need to ensure that they can erase the data from their cloud providers when they stop using the cloud service. As consumers will be able to request information on, or the deletion of, all the personal data a company has about them, the data controller has to ensure that they can meet this kind of requirement through their cloud provider.
Establishing liability
An organisation also needs to clearly define the balance of liability in the event of a data breach. While under GDPR, the data controller (the organisation that processes the data that they captured from their data subjects) is ultimately responsible for reasonably preventing and reporting data breaches, organisations should be looking to ensure their data processor (the cloud service provider), is contractually required to also take responsibility for the safety and security of stored data.\
This is particularly important in terms of the data controller's responsibility to notify the supervisory authority within 72 hours of any data breach. This will require cloud providers to ensure they are notifying organisations of any security threat as quickly as possible.
Organisations will also need to take a far more active interest in the physical location of their cloud provider's data centers. Under GDPR, there are only a few specific countries outside the EU that are authorised for the storage of EU citizens' data. It will be essential for organisations to work with cloud providers who can provide clear and transparent location information for their data storage.
Ongoing cloud usage
Providing an organisation is working with a reputable cloud provider, and once data governance principles have been established, the cloud can remain a suitable place for storing personal data and maintaining GDPR compliance.
Indeed, many cloud providers have already paved the road to GDPR support, so working with those knowledgeable cloud providers can help organisations fast-track their compliance. Nonetheless, ensuring familiarity with a chosen provider's GDPR policies and strategy will be crucial.
GDPR represents a significant change to how organisations deal with personal data. Comprehensive measures to ensure that they know what data is being stored and where is vital, and this is particularly important when cloud platforms are involved.