The Impact of GDPR on Cloud Computing
The EU General Data Protection Regulation (GDPR) is the most significant piece of privacy legislation to come into effect across Europe in a generation.
It will apply to any organisation who handles EU citizen data, even if they’re not from the EU. This means any European company with employees or a US firm with European customers will have to comply or face the consequences.
GDPR places new obligations on businesses, ones which will affect how they use cloud services. With cloud adoption now around 90% in the UK, it is important to ensure that the cloud services you use are compliant and that the systems and applications you design do not expose you to risk.
GDPR strengthens user privacy in two main ways. Firstly, it increases the obligations on organisations to protect user data and secondly it grants citizens major new powers over how their information is collected, used and stored.
For example, businesses must ensure that all reasonable steps are taken to secure data, train staff and disclose breaches and must be clear and transparent to citizens about how they use personal data. Citizens can demand to see what data an entity is held on them and can also request that this is deleted at any time.
The most obvious impact of GDPR on cloud services is data sovereignty. EU law requires that all data stored on citizens must be either stored in the EU so it is subject to European privacy laws, or within a jurisdiction that has similar levels of protection. The US is not deemed to have sufficient safeguards so a legal mechanism called ‘Privacy Shield’ is used, allowing individual organisations to prove they will protect data.
Of course, if you have your own data centre in an EU country, this isn’t a problem, but if you use a public cloud service then you may not be so sure where your data is held.
Most major cloud platforms, such as Microsoft Azure, have data centres around the world and give customers the option to specify where certain workloads are stored. Check with your cloud provider to see if you can do this.
Data control and visibility
The second most pressing concern is data visibility and portability. GDPR requires organisations to be able to give individuals their data in a usable format if so requested, and also for it to be deleted. This will also apply to backups, so visibility over your entire infrastructure is key to compliance.
GDPR also mandates that data can only be used for the specific purpose for which it was collected, so it’s important to ensure this procedure is followed and that any service allows you to implement retention policies if data must be deleted after a certain period of time.
As part of your requirements, when agreeing a contract with a cloud provider, you should assert than you own the information in question.
Privacy by design and security
Finally, one of the biggest cloud challenges arising from GDPR is security. GDPR requires all organisations to employ ‘privacy-by-design’ as a principle for every application and system in order to protect personal information, so bear this in mind when designing any new cloud application.
You should also ensure your staff are trained. There have been numerous instances of well-known companies and even governments not securing data repositories on public cloud services, exposing sensitive information and credit card details. Not only could this data be used maliciously, it could also be wiped and used for a ransomware attack.
The penalties for non-compliance of GDPR – and that includes not taking sufficient steps to protect citizen information – are severe. The Information Commissioner’s Office (ICO) can issue a fine of up to €20 million or 4% of global turnover.
It goes without saying that the cloud is an essential part of the modern IT stack, but the advent of GDPR means it’s time to use it a little bit differently. In most cases your cloud provider will have done the hard work, but it’s worth taking just a little bit of time to ensure you meet these new challenges.
Why not read ‘The Last Minute Guide to GDPR’?