Businesses are faced with many challenges when attempting to comply with the EU’s new data security and privacy rule. In addition to it being necessary for businesses using services hosted in the cloud to monitor their own compliance efforts, it now also necessary for businesses to monitor the compliance efforts of cloud service providers.
Before GDPR was implemented in May 2018, the data security and privacy rules of EU member states were loosely based around a EU “Directive” that was issued in 1995. The aim of this Directive was to regulate how the personal data of EU “data sets” was processed and limiting how and when it could be transferred outside the EU.
Due to the Directive being interpreted differently by different states, the EU General Data Protection Regulation (GDPR) was passed in 2016. This new legislation standardizes data security and privacy rules throughout the European Economic Community and affects every individual or organization that collects, stores or processes personal information, regardless of where in the world they are located.
GDPR Compliance in the Cloud
Under GDPR, a Data Controller is any individual or organisation that collects data. The individual or organisation is responsible for the safekeeping of the data and for responding to requests to access the data regardless of whether they process and store the data themselves or contract it out to third-party service providers. This includes using a cloud-based services to process and store data.
Cloud-based services are used daily by almost every business in the world,
Office365, G-Suite, Slack and Zendesk are all examples of these types of services. Employees often use other cloud-based services such as
Dropbox and LinkedIn. These services are often used without the specific permission or approval of IT departments, leaving Data Controllers in the dark about which services are being used and how they are being used.
In order to address the challenges of GDPR compliance in the cloud, Data Controllers are beginning to conduct an audit of every cloud service used. Through doing this, they are identifying which cloud services are GDPR-compliant and formalize agreements with app providers and service providers with regard to data collection, storage, processing, retention and deletion. The use of non-GDPR compliant services are then prohibited within the company.
Businesses that use public clouds such as AWS and Google Cloud Platform to process and store data also need to formalise watertight agreements with these cloud providers. The reason for this is when data processing and storage services are shared in the public cloud, the risk of a data breach is enhanced.
Therefore, the following GDPR compliance cloud checklists should be consulted in order to help with GDPR compliance. Although they are not fully comprehensive in every scenario, they provide a suitable starting point for most small to medium businesses.
Checklist 1 (Cloud-Based Apps and Services)
- Conduct an audit of the various cloud-based apps and services used in your organisation
- Make sure you know the location where data is processed and stored by third parties
- Implement methods to recover and delete data as required
- Execute agreements with apps and services used by your organisation for data processing
- Create policies to prohibit the use of non-GDPR compliant apps and services
Checklist 2 (Public Cloud Providers)
- Ensure the public cloud provider has safeguards in place for data protection
- Establish visibility into data collection to ensure it is only used for its intended purpose
- Implement processes to recover and delete data
- Make agreements with public cloud providers