GDPR and the cloud
We take a look at the core areas you need to consider to be GDPR compliant whilst using the cloud
A little more than a year after its first implementation, the General Data Protection Regulation (GDPR) has sent businesses scrambling to become compliant to avoid the risk of potentially crippling fines.
Adding to the headache, the ubiquitous adoption of cloud computing from software to storage also presents further compliance issues whereby the cloud service provider (CSP) must also be compliant to store a business' data.
Cloud computing has become such an integral part of how a digitally transformed business operates and this, in turn, means businesses must be certain their CSP is also GDPR compliant. Strict requirements apply to how a data subject's information is held by a business and these vary from country to country in their minutiae. Even the slightest mistake could cost a company millions.
Although placing one's trust into a CSP instead of operating everything in-house may seem like a leap of faith, it shouldn't be avoided. Proper due diligence should be carried out when choosing a CSP because a strong marriage between a business and the limitless scale of cloud can make for an optimum data storage and protection arrangement.
There are a number of imperative considerations businesses must make before switching on-premise data storage into the cloud so read on before embarking on your GDPR minefield of a migration.
What effect has GDPR had on cloud computing?
Businesses must, of course, do their homework when it comes to making sure the external services and third parties they use are GDPR-compliant, particularly when a breach would expose your organisation to regulatory risk.
For example, your organisation's data could be managed on servers beyond the EU's borders. In this situation, it's essential you remain aware as to whether this 'third country' has a data adequacy agreement in place, which is to say its data protection laws are officially deemed compatible with those of the EU (one of the reasons the UK decided to implement the standards of GDPR in the form of the new Data Protection Act, despite the country's impending departure from the bloc).
Businesses need to take responsibility under GDPR for not just determining if their own structures, but that of their partners and suppliers are compliant, or risk sustaining large fines.
Managing consents and establishing GDPR-compliant permissions is also crucial to legitimately processing the data of EU residents. The laws state clearly that data cannot be used for any purposes beyond those which were stated when consent was obtained, and cannot be held for any longer that's needed to fulfil these purposes.
The management of data is also important, as while enterprises may legitimately collect and store EU residents' data providing they have the permission from individuals to do so, GDPR guidelines state they cannot collect more than they need to complete a predefined purpose. If anything, it is good practice to have a handle on where sensitive data is stored, what it's used for, and for how long it's being kept.
These points can be addressed with savvy service level agreements that can ensure a cloud provider is offering services that will enable enterprises to remain within GDPR guidelines.
Locking down the cloud
Another important area to really focus on is the level of security and data control various cloud providers offer and can guarantee. Under GDPR, a company is considered the data controller and is thereby responsible for keeping that data safe and secure regardless of whether it's kept on their own servers or those of a cloud provider.
Even if a cloud service is found to be in violation of GDPR, the client company could still be held responsible as the data controller, so businesses need to carefully consider the safeguards the cloud providers they are looking at can guarantee when it comes to GDPR compliance.
As data breaches do happen and the data controller is responsible for ensuring the protection of any personal information they hold, it's important that a company does as much as it can to secure said data before placing it within cloud apps and storage.
In a mixed IT environment where many cloud-based and on-premise apps and services might be used, it's important to ensure non-GDPR-compliant apps get blocked and data is not altered or processed without authorisation, as well as making sure that when the company no longer needs a cloud app that the data in it is either retrieved or erased.
There is also the growing trend of data breaches being reported with a misconfigured Amazon S3 bucket being blamed for the infosec blunder. Often, these are either configured using the wrong settings by a business' IT admin or simply left to their default settings. With cloud storage, most CSPs come with baked-in settings for countries under different data protection laws, including GDPR, which means if you're operating in a cloud environment, setting the storage's data protection parameters correctly is of paramount importance.
GDPR, the cloud and Brexit
After the UK leaves the EU on 31 October 2019, it will then become a third country under GDPR. This means CSPs and businesses will have to work together to modify the data protection principles surrounding data subjects residing inside and outside the UK.
The UK will no longer have to consider the rules of GDPR when doing business with companies outside of the EU, but the UK's Data Protection Act 2018 will still apply, as will the data protection law- if there is one - of the country with which a UK company deals.
UK companies that continue business with others in the EU must still store these residents' data in a way that abides by GDPR and the individual variances in the rules as set out by a given country.
On the flipside, EU businesses storing the personal data belonging to UK residents will not have to abide by GDPR specifically, but the UK's Data Protection Act 2018 still applies all the core GDPR rules and will apply because of domestic law. GDPR aims to limit the flow of data outside of the European Economic Area (EEA) unless there is domestic legislation in place that is approved by the EU. Although the UK has GDPR-inspired domestic law, this isn't yet approved by the EU and could take considerable time to reach that stage.
This approval will be given in the form of what's called an adequacy agreement. This will allow the free flow of data between the UK, a third country, and the bloc, but can only be completed after the UK leaves the EU. Until that agreement has been approved, which could take some time, the UK will be wide-open for GDPR punishments if data still enters the country from the EU. It will be illegal for the UK to receive data during this period of time unless some sort of 'grace period' is afforded.
What this means for the cloud is that businesses and CSPs must closely monitor the state of the adequacy agreement and halt the business and cloud platform from receiving data until legally free to do so. From now until 31 October, businesses are encouraged to research all the other, but very limited, options to ensure a free flow of data during the window of uncertainty and ultimately prepare for a highly complex situation - or prepare to pay the huge fines imposed by GDPR.
Businesses are probably going to refrain from receiving data from the EU rather than just do it and face a fine. It's a much more favourable option than trying to implement an alternative mechanism which will take time in itself, perhaps won't be fully compliant with GDPR and may not be compatible with your chosen cloud platform(s).
There is a way to bypass all of this complexity, but it will likely come at a high price. Having both a UK-based and EU-based data controller and processor working for the same business is the only way to work around this minefield of international legislation. From a UK business' perspective, it means the same business can process the data of subjects in the EEA and UK without having to worry about data transferring between the countries.
Tread carefully after cloud migration
Once an enterprise has started to make heavier use of cloud-based services and infrastructure it's important to regularly carry out audits to ensure that the systems and services being used remain the right side of GDPR compliance.
Internal audits might seem like a tedious process, but they are a lot less painful and costly than finding out the company or one of its cloud services has breached GDPR and ends up facing an investigation from data regulators and potentially hefty fines.
Such auditing could also lead to spotting inefficiencies in a company's existing IT infrastructure and processes and enable streamlining measures to be taken to ensure both business and IT operations run in the most effective way possible.