Privacy regulations regarding data protection” are both a challenge and an opportunity. A key indicator for “GDPR maturity is the data protection mindset within companies and the level of data protection provided, which means what, where and how business-critical workloads operate on cloud infrastructures.
For many companies, the GDPR is still seen as a complex project. Legal, technical and organisational challenges brought about by the GDPR have proved stressful, resource sapping and ultra-difficult to maintain. Particularly in the case of large migration projects in the cloud computing environment, in the IoT environment or in big data scenarios, day-to-day business leaves little time to afford the correct attention data regulations require.
However, in addition to numerous implementation challenges, the GDPR also offers the opportunity to excel by redefining and implementing new data protection and IT security strategies, especially in the context of cloud computing.
As a result, the topic of cloud computing raises many questions in the context of the GDPR. In technical terms, cloud computing is a data processing contract. Hence, the cloud user should be fully aware of the way their data is always processed. Cloud providers and resource providers only support their functions and are dependent on the legal requirements of the responsible authority. In other words, both cloud providers and businesses must meet the minimum legal requirements for each cloud service under the GDPR.
Special attention should be focused on the ability of your cloud solution to meet Article 28 and Article 48. In light of the US Cloud Act US cloud service providers cannot guarantee to meet Article 48
“Any judgement of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.”
Seize the moment
How to take advantage of the potential challenges behind the GDPR? There are two main questions. On the one hand, companies need to know which cloud providers they can trust to fully comply with the above articles.
On the other hand, companies need to know which technical and organisational measures they must take in order to be “GDPR-compliant”.
Opportunities and obligations for CISOs – the right cloud partner
The right cloud partner can be a valuable sparring partner in the light of GDPR, since with their expertise in compliance and security they can assist your company on its journey towards GDPR Compliance
If you apply a multi-cloud strategy, you need to assess the data protection policies of each cloud provider.
Hybrid and multi-cloud approaches are much more complex to coordinate and therefore may present a higher data protection risk. The multitude of different cloud providers, especially in the public cloud environment, makes it difficult for CISOs to ensure GDPR compliance. GDPR compliance is only as strong as the weakest link. For example, a breach or non-compliance by a single cloud provider within a multi-cloud deployment can undermine all efforts for a successful GDPR compliance.
Six Key Criteria
Here is a quick set of criteria you can use to evaluate your potential or existing cloud partners in terms of GDPR compliance:
Security and Privacy
A first necessary step is to assess to what extent the provider is able to comply with your IT security requirements. One easy way cloud providers can demonstrate compliance with security and “Privacy by Design” is by being ISO 27001 or ISO 27018 certified
Companies that work with a wide range of critical data must provide sufficient guarantees (in accordance with Article 28 of the GDPR Regulation) that the data controller uses “only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
” Hence, you need to make sure that your cloud provider is conducting regular audits for the review, scoring and evaluation of technical and organisational measures to guarantee the security of processing. In addition, you need to make sure that the cloud partner grants the right to audit to their customers. For EU companies appointing a EU member state sovereign owned cloud service provider ensures that your data is in safe hands and will not be handed over to a 3rd country court for example as this would expose the cloud service provider and company to large fines under the GDPR.
Knowing the location where your data is being stored and processed is important. Yet, not all cloud partners provide you with the necessary transparency related to the cloud locations. Note that the cloud provider’s headquarters might not necessarily be the location where your data is hosted. In addition, your data may be moved between different cloud locations in the background, without letting you know. This may be part of the Terms of Service of the cloud partner. Finally, cloud service providers may store data within multiple location and some of these may be outside the EEA. As a Data Controller you need to define a multi-country cloud strategy to adhere to adequacy requirements as well as data localisation laws.
The GDPR requires a slew of data protection safeguards, from encryption at rest and in transit to access controls to pseudonymous data and anonymization. In order to achieve this, the easiest way is to choose a cloud partner that has enough security features to choose from such as backup, encryption, access control policies and others. If your cloud partner does not have such policy, you need to take care of the security features yourself.
As a customer of a cloud provider you are the Data Controller which means you must maintain control and ownership of your own data. This can be achieved by signing a Data Processing Agreement with your cloud partner to guarantee that the partner is adhering to the data privacy protection requirements as per the GDPR. You can either draft your own or check if your cloud partner has created a DPA as a standard part of the Terms of Service. The advantage of using your own is that you can specify the type of personal data and “special” data collected. No matter if you use your partner’s DPA or your own, make sure that the terms state clearly that the Data Controller (i.e. you) owns the data and that the Data Processor (i.e. the cloud partner) will not share the data with third parties.
You need to make sure that once your contract with the cloud partner has ended, you can download/erase the data and that the cloud partner will delete the data once you’ve terminated the service. Some cloud providers, especially when they are ISO-certified, have defined a standardised policy for deleting data after contract expiration. Try to find out how long it takes for the cloud provider to delete your data.