That new cloud app may help your business work smarter, but did you know that it could be impacting your GDPR compliance? Relentless Privacy & Compliance explain how.
From accounting to marketing, managing day-to-day office functionality to making those all-important sales, there isn’t a single aspect of modern business that hasn’t in some way been improved by the evolution of cloud-based Software-as-a-Service (SAAS platforms.
Not only do the likes of Salesforce, Sage, ADP and Microsoft Office 365 help businesses to reduce costs by eliminating the need for expensive software licenses, they also help to significantly improve performance, efficiency and all-round collaboration.
So it’s no wonder that more and more businesses are turning to the cloud than ever before, with around 77% of organisations using at least one cloud-based SAAS solution.
Yet if you’re thinking about joining that 77% and migrating more of your office functionality to the cloud, there’s something you should know:
Using a SAAS platform could affect how compliant you are with current data protection laws such as GDPR.
Today, the data protection specialists at Relentless Privacy and Compliance explain how carrying out a comprehensive Data Protection Impact Assessment (DPIA) can ensure you continue to enjoy frictionless GDPR compliance when working in the cloud.
First, however, let’s look at the threat to your compliance posed by modern SAAS platforms.
Cloud Services and Your Data Protection Responsibilities
By now, you’ve likely done a lot of work to ensure your GDPR compliance strategies, policies and procedures are absolutely airtight. That includes ensuring you have both technological and organisational measures in place to protect the private personal information of your customers. Yet when you take any office functions requiring data processing and migrate them to a cloud software solution, you lose some of that airtight control you have over your data.
Because whether you’re using Sage, Salesforce or something else entirely, the minute you input data into those apps, you are technically making them your data processor and entrusting them with the responsibility of protecting your data on their servers.
Does that make those companies solely responsible for data protection?
Who is Responsible for Personal Data Stored on a Cloud App?
It’s true that any company which processes the data of EU data subjects has to be fully compliant with GDPR, and since any data you input into say, your cloud-based Sage software gets stored on Sage’s servers, that does indeed make them responsible for protecting it.
Yet that doesn’t mean you’re off the hook if something should happen to that data. As a data controller, the ultimate responsibility comes down to you. Since you authorised Sage to process that data, you’re still liable if something goes wrong.
The good news, is that this doesn’t have to be as scary, nor as complicated, as it sounds.
By carrying out a Data Protection Impact Assessment you can be sure that you’re meeting all of your compliance obligations when signing up to a new cloud service and, more importantly, that your customers’ data is well and truly in safe hands.
This, of course, begs one important question:
What is a DPIA?
Also known as a Privacy Impact Assessment, a DPIA is a particular kind o risk assessment used to identify and minimise the potential risks involved in data processing activities.
Article 35 of GDPR states that:
“Where a type of processing, in particular, using new technologies and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks. “
We can count SAAS platforms as “new technologies,” making a DPIA essential.
What should a DPIA include?
According to the Information Commissioner’s Office (ICO) which enforces GDPR in the UK, A DPIA must:
- Describe the nature, scope, context and purposes of the processing;
- Assess necessity, proportionality and compliance measures;
- Identify and assess risks to individuals; and
- Identify any additional measures to mitigate those risks.
How Does a DPIA help?
At the most basic level, carrying out a DPIA will allow you to pinpoint any potential threats to the safety of your data and outline the measures you need to take to reduce them, including having a solid contract in place with your SAAS provider which covers data protection.
As part of this contract, your SAAS provider must agree to adhere to GDPR and any other international data privacy laws that affect your business.
Meanwhile, the DPIA itself also serves to key purposes.
1: It serves as a plan of action, outlining the practical steps you will take to reduce or eliminate risk.
2: Should the worst happen and you do suffer a data breach, it allows you to prove to the ICO or other relevant authority that you took all the necessary steps to prevent it from happening. This can prove invaluable should the appropriate authority be considering taking action against you for non-compliance.
What is the Best Way to Create a Data Protection Impact Assessment?
Though you can always create an assessment in a way that best suits you, the ICO does have a downloadable template you can use to make things easier.
Alternatively, consider eliminating the hassle and hard work of creating your DPIA by outsourcing the entire process to Relentless Privacy & Compliance.
Our data protection specialists can provide expert advice and hands-on support to help you ensure GDPR compliance while still making the most of the tools and services that help your business to thrive in the 21st century. Contact us online to arrange your free consultation, or call now on +44 (0) 121 582 0192.