Staying GDPR Compliant in the Cloud


Internet of Things
10 Aug 18 Author: David Ellis

May 25th 2018 was the date when the European Union’s General Data Protection Regulation (GDPR) finally came into force - bringing the most significant change to EU data protection law for 25 years.

Designed to give the individual greater control over the personal data that’s collected, stored and shared in today’s digital world, the GDPR is founded on two basic principles. The first is ‘privacy by design’, and the second is ‘security by design’. And these principles apply equally to outsourced IT and on-premises IT, which means there really is nowhere to hide. If your organisation collects, or causes to be collected, data on EU citizens, it is responsible for ensuring the privacy and security of that data, wherever it may be in the world, and whoever may have been hired or allowed to process it. That includes all backups that an organisation has made, as well as any and all data that the organisation has exchanged with third parties.

So how does the GDPR impact on cloud computing and what are the main challenges you need to take into consideration?

Addressing the key challenges

Almost any type of information can be hosted in the cloud, including sensitive data, which inevitably increases the risk of uncontrolled distribution of that data to third parties. The GDPR was designed to overcome this issue and these are some of the key challenges that you and your customers will need to consider in relation to data that’s processed or stored in the cloud.

Data Retention: Under the GDPR, personal data may not be stored for longer than needed for the predefined purpose. This means that retention periods must be implemented and data deleted effectively when retention periods expire. The difficulty here is that data can be stored on multiple locations and under multiple jurisdictions by cloud service providers. The deletion of data will also impose a challenge as any backups must also be taken into consideration. Having a clear overview of how backups are secured and retention is managed is a critical part of ensuring GDPR compliance.

Managing Data Breaches: Breach notification obligations and protocols must be included in data processing agreements with cloud providers. The contract must define a breach event and describe the procedure for notifying the organisation about any breaches without undue delay. Even if the CSP experiences a data breach that impacts multiple customers, each organisation will need to own their external communications and manage the overall breach with the support of the CSP. The important thing is to ensure that the breach does not become public before the CSP has notified its customers of the breach and those customers have had the chance to notify the relevant authorities.

Overcoming Shadow IT: According to the Cloud Industry Forum in its latest Netskope Cloud Report, the average European business is using 608 cloud apps. However, despite increased awareness of IT teams over the last year or so, shadow IT is still rife and the actual number of cloud apps in use is likely to have been underestimated by about 90%! With the GDPR now active and organisations obliged to know exactly what data they are storing and where, this is a worrying figure to say the least. Discovering all of the cloud apps in use across an organisation is critical to ensuring GDPR compliance.

Data Portability: If data is stored in the cloud, it must be possible for that data to be retrieved in a structured, commonly used and machine-readable format to facilitate the right of data portability for data subjects. CSPs need to have the technical capability to ensure that this data subject right can be satisfied.

Cloud Architecture: It’s important to understand the underlying technologies used by a CSP and the implication that these technologies could have on the security safeguards and protection of the personal data stored in the cloud. The architecture of a cloud provider’s system also needs to be monitored to address any changes in technology and recommended updates to the system.

Security Controls: Bear in mind that the CSP will take responsibility for securing the IT environment and ensuring that the appropriate privacy measures are in place. This will need to be managed and monitored as part of the third party risk management process to ensure compliance with the GDPR.

Overcoming the GDPR challenges

The GDPR has brought about significant changes for every organisation in terms of how they process, store, access, transfer and manage data. Whether you’re an existing Cloud Service Provider that needs to support customers in ensuring compliance throughout their lifecycle, or an IT solution provider partner that wants to better understand the impact of the GDPR for your customers as they transition to hybrid IT solutions, Tech Data can support you along the way.

Find out more by exploring our website to discover the benefits of working in partnership with Tech Data Cloud Solutions