How will GDPR impact your cloud?
The 25th of May 2018 is a date that is top of mind for many businesses. And if it is not, perhaps it should be.
It is, of course, the compliance deadline for organisations affected by the General Data Protection Regulation (GDPR). And while this is an EU regulation it is certainly not confined to EU companies. In a world where cloud services have created a global marketplace, so too rules, regulations and consequences have cross border implications.
Will the GDPR affect me?
Any organisation that processes data about EU citizens (even if those citizens are not located in the EU) must comply or face fines of up to 20 million Euros or 4 percent of their global turnover. If you answer yes to any of the following questions, then you need to ensure you are compliant:
- Does your website collect information about users and could these users come from the EU?
- Do you store personal data of non-EU citizens who are residing in the EU (eg employee, customer or student data – current or previous)
- Does your business have an establishment in the EU?
- Are you a provider of goods or services to EU residents through ecommerce or other means?
- Do you or one of your third-party services monitor the behaviour of EU residents?
- Do you have employees with an EU address or dual citizenship?
Data can include name, address, photo, email, bank details, social media posts, medical information and even IP addresses.
Understanding GDPR and the cloud
A recent study from Commvault showed that only 12% of organisations surveyed understood how the GDPR would affect their cloud and cloud services.
Concerns around data security, data sovereignty and privacy are not new for any organisation running their business on cloud services. To be honest most organisations genuinely want to protect their data and their customers privacy and privacy regulations are certainly not new.
The difference is that the GDPR has a lot more teeth than many of it’s precursors. How it will play out in practice remains to be seen. However, the principles of “privacy by design” and “security by design” which really underpin the GDPR will have a direct impact on how IT is implemented.
These are two principles that should, by all rights, underpin any robust cloud design regardless of the GDPR. You may answered no to all of the questions regarding EU data collection. However, the GDPR serves as a good prompt for ensuring you are providing the strongest level of security for your users and customers.
How does the GDPR impact my cloud design and management?
The key principles of the GDPR is to put power back into the hands of the subject, giving them greater control over how their personal data is stored and used and the right to be “forgotten”. This applies not only to data in production but also to back up copies. It is critical, in a cloud environment to know how data is stored, how it is accessed and how it is deleted if required.
In hybrid and public environments, the location of data may not always clear, especially where there are third party providers involved. Data in the cloud is commonly transferred between locations. This data volatility adds yet another layer of complexity.
Securing your data in the cloud
The most robust cloud environments will be secure by design. Data leakage and data access are already a concern in a cloud environment. Security measures need to be built in to ensure that personal data is protected against unauthorised processing, theft or loss and alteration. Cloud applications need to meet security standards and protections put in place against those that don’t. If you work with third party cloud providers, you need to ensure that their security measures will meet your requirements to protect your customers
GDPR and documentation
Documentation is the bane of most organisations. It’s time consuming, usually the least exciting part of a project, and should be (though often rarely is) kept up to date. The GDPR, however, requires demonstration of compliance. For most organisations this will undoubtedly be the most manually intensive part of being ready for GDPR implementation. Demonstrating processes, policies and procedures that you have taken to ensure compliance is a key part of the documentation process. This isn’t just good practice in general but will also assist in the case of an audit, change of roles and providing a basis for continual monitoring and improvement. The steps taken to implement compliance will almost certainly be the first thing an auditor will look at.
While a Data Protection Officer (DPO) is not mandatory in all situations, it is highly recommended as best practice. In addition, there are no exemptions for SMEs if they fall under the requirements for a DPO. Good quality documentation will go a long way to help staff fulfil this role particularly if they have other tasks and duties to perform.
It’s clear that data protection needs to be included by default in a hybrid cloud infrastructure. This means from the design phase right through to implementation and management. GDPR compliance is a group effort, which requires collaboration, organisational support, and a very clear strategy. Again, clear and comprehensive documentation will ensure all stakeholders are on the same page.
At the end of the day, whether you are managing your cloud in-house or outsourcing all or part, you are ultimately responsible for the protection of your customers data. You need to ensure your cloud’s compliance to the GDPR.
About Qirx in a Box
Qirx in a Box is a solution that helps businesses to train, design, develop and fully document their hybrid cloud environments, making it easy to build in the underlying principles of “privacy by design” and “security by design” that are a crucial part of the GDPR. The documentation set that is easily built out using Qirx in a Box can help demonstrate due process in the event of a data breach.
For further information on the GDPR and how Qirx in a Box can help your organisation watch the following short video and contact us for more.
If you want to know more, register your interest here:
See here for our disclaimer
We encourage you to follow us on our Social Media Channels and keep up with the latest news, updates and more great tips. Please also share our posts and channels and help others ease their cloud journey!