The General Data Protection Regulation (GDPR) is a European regulation introduced by the EU to strengthen individual control over personal data and increase the obligations of organizations that collect such data on EU citizens. The regulation came into force in May 2018, and its set of rules have particularly strong ramifications in the context of cloud computing.
An increasing number of organizations rely on cloud computing platforms as core components of their IT infrastructure. Whether for storing important data, running applications, serving web content, or backing up data for disaster recovery purposes, cloud services provide important IT functions in a cost-effective, scalable manner.
However, the modus operandi of the cloud computing paradigm is such that organizations often store sensitive information on cloud platforms. This information is effectively entrusted to a third-party operating beyond the internal firewall of such organizations, creating a slew of potential challenges in the context of GDPR compliance both for cloud providers and organizations that use the cloud.
Read on to find out about five important challenges of maintaining a GDPR-compliant cloud platform and some tips on overcoming such challenges.
It can be difficult to determine the exact physical location of data residing in the cloud. For example, an organization might store sensitive data in the cloud on Amazon Web Services (AWS) and then use a separate cloud-based AWS disaster recovery service for backing up this data.
Precise storage locations become blurred, and the issue is that GDPR rules stipulate that both data controllers (organizations) and processors (cloud providers) know where sensitive information resides. Furthermore, if data moves outside the European Union/European Economic Area, the location to which it’s transferred must either be on a pre-approved European Commission list or it must enforce GDPR-equivalent standards.
From an organization’s perspective, it’s imperative to perform due diligence on any cloud provider, to maintain visibility over precisely where data is stored and processed, and to determine whether the cloud provider moves data to data centers located outside the EEA. From the cloud provider’s perspective, any data movement of EU citizen information to a location outside the EEA must be done bearing in mind adherence to GDPR principles.
A fundamental shift outlined in GDPR is the responsibility of data processors to also protect the personal data of EU citizens. Previously, this responsibility fell to the data controller. Since cloud service providers meet the definition of a data processor, the onus now also falls on cloud service providers to implement a number of internal practices that safeguard personal data in alignment with GDPR.
Cloud service providers must recognize their responsibility and implement these standards, and those that already follow international information security standards such as ISO 27001 will find the transition under GDPR to be much smoother. However, it’s important for organizations acting as data controllers, i.e. those organizations that collect the data and store it in the cloud, to recognize that they still take on much of the responsibility for personal information.
Better tracking/tracing methods for individual data are needed from both cloud service providers and organizations to ensure they meet their obligations, particularly with the complexity of modern technology infrastructure.
There is much confusion about encryption relating to GDPR, but the wording quite clearly recommends encryption as one method of ensuring appropriate information security without mandating its use. This poses a challenge both for cloud providers and organizations using the cloud: should they actually encrypt their data?
There are technical overheads associated with data encryption. The important thing to recognize is that encryption is a tool that helps with GDPR compliance and that it also helps reduce the impact of any data breach. It is a decision of risks versus costs and taking into consideration the wording of GDPR, you can view encryption as a method of insurance.
GDPR is strict on data retention and it emphasizes data should be stored for a period no longer than is necessary for it to serve its purpose. This has consequences for both organizations and cloud providers. In their role as data controllers, organizations should set data retention policies with explicit retention periods defined for different types of data.
The main challenge is ensuring visibility over data because with cloud deployments, personal data can reside in multiple locations, and ensuring its deletion can become complex. Organizations should also consider backups when thinking about their data retention policies in addition to ensuring cloud providers abide by retention periods and remove data as necessary and as required by GDPR.
It against GDPR rules to use personal data for purposes that are incompatible with the originally stated purposes for collecting this data. For example, if your business collects and stores customer data in the cloud, the cloud provider then cannot use this data for marketing purposes without explicit the consent of the individual. Compatible purposes typically refer to archiving for public interests, science research purposes, or statistical purposes.
This purpose limitation of GDPR is critical and cloud providers must ask for specific consent before disclosing information to other parties for different purposes. Organizations should ensure that their cloud contract doesn’t give the provider the right to use the data for secondary purposes without seeking consent.
GDPR presents significant challenges for any party involved in the collection or processing of personal information belonging to EU citizens. In the context of cloud computing, there are some tricky issues to overcome, but a transparent and comprehensive approach on the part of cloud service providers and organizations can ensure GRPR-compliance in the cloud.
