The General Data Protection Regulation (GDPR), implemented by the European Union in May 2018, gives individual E.U. citizens much greater control over their personal data. Key points about the regulation are as follows:
- Organizations must remove records about customers or clients without undue delay upon receipt of an erasure request to comply with GDPR.
- Organizations must report a security breach that puts individual data at risk within 72 hours of the breach occurring.
- Data processors now share the burden for protecting personal data.
With more organizations leveraging the cloud service model to deliver important enterprise IT functions, including data storage, hosting applications, and data backup, GDPR has a range of impacts on both cloud service providers and cloud users. With potentially sensitive data being transferred beyond the internal control of organizations, both service providers and users have responsibilities in maintaining GDPR compliance.
This article outlines five important lessons learned for cloud computing in terms of achieving compliance with GDPR rules.
- Don’t Neglect Cloud Backup Data
The strict GDPR rule about an individual’s right to be forgotten is relatively straightforward to adhere to by simply deleting the data from production systems promptly after you receive such requests. However, a crucial lesson in the context of cloud computing is to understand what you need to do with backup data related to such individuals that want their data removed.
Many organizations use cloud backup services for archiving and/or disaster recovery, including Microsoft Azure, AWS (Amazon Web Services), and even backup services to back up primary data that already resides on AWS cloud systems. The onus, according to GDPR, is on both the data controller (organization) and the data processor (cloud service provider) to comply with rules.
To handle data residing in cloud backup services that owners have requested you remove, both cloud users and service providers can take steps, such as:
- Remove backup copies of data as soon as it is feasible to do so, i.e. when doing so doesn’t compromise your other data retention obligations.
- Keep backup data safe by always encrypting it.
- Clearly communicate with people about how data kept in backup systems might take longer to remove, how you plan to secure it, and when you will delete it.
- Implement pre-defined data retention periods.
- Visibility into Data Location is Crucial
When you transfer or store data in the systems and applications of cloud services providers, it’s important to have clear visibility into the location that such data is being housed and processed. Under GDPR, you, the organizational data controller, and the cloud service provider, in their role as a data processor, both need to track the location of sensitive information.
Sensitive data moving outside the EU or the EEA can only be transferred to a location that is either pre-approved by the European Commission or is known to have a GDPR-equivalent regulation in place. The issue is that it is often unclear where exactly data resides in the cloud, and certain cloud providers may move this data between different data centers.
Proper visibility into your cloud-based data comes from performing appropriate due diligence into cloud providers and choosing providers that emphasize transparency into the location of sensitive information in line with GDPR.
- Ensure Your Contract Includes Breach Response Protocols
To respond to a cloud-based data breach in a GDPR-compliant manner, the agreement or contract you sign with each cloud service provider should include clear definitions of what constitutes a breach and clear protocols for responding to events that meet this definition.
Make sure your contract stipulates that your cloud service provider notifies you about any data breach in its systems without delay. The last thing you need as a data controller is a breach of sensitive information making media headlines before you’ve been informed and before you’ve had the chance to communicate such a breach both to individuals at risk and the relevant authorities.
- Your Data Needs to Be Portable
Under GDPR, data subjects have a right to data portability, which means having the right to receive their personal data in a structured, commonly used and machine-readable format.
In the context of modern IT setups, where data could reside on any number of cloud applications, this means organizations should seek to ensure their cloud providers have the technical capacity to ensure data subjects can exercise this data portability right.
As far as technical methods for porting data from cloud services, you can use Application Programming Interfaces (APIs), which are often developed by major cloud service providers. Some cloud service providers also let you download data as a file in a commonly used format in line with GDPR.
- Look For Demonstrable Proof of IT Security and Privacy
To comply with GDPR, the highest possible privacy settings need to be applied to secure personal data. Within the enterprise, achieving this is not such an issue. However, when moving data to cloud systems outside the enterprise, it is the cloud provider’s own IT security and privacy measures that determine compliance with GDPR.
Prudent risk management in this respect involves appropriate risk management planning to determine the extent to which your chosen cloud provider can protect data to comply with the high-level privacy requirements in GDPR. Things to look out for from cloud service providers include ISO 27001 or ISO 27018 certifications, or perhaps even a specific contractual dedication to GDPR security and privacy compliance.
GDPR is a complex legislation, and achieving compliance with it is paramount if organizations and service providers want to avoid hefty fines and/or lawsuits. The complexity of modern IT environments, which typically feature a slew of cloud services in addition to on-premise systems, add further challenges to an already paradigm-shifting regulation. Follow the five lessons here to get a good idea of GDPR-compliance in a cloud computing landscape.