GDPR and the impact on cloud computing

European Commission adopted the General Data Protection Regulation (GDPR) to have stringent data protection laws in the European Union. With GDPR, it gives all the organizations a single set of regulations to follow for data collection, storage, and use. The GDPR was passed in April 2016 and was implemented this year in May 2018. Non-compliance of the GDPR will attract harsh penalty from the European Commission. Despite the strict regulations, and a heavy fine, there is a large percentage of organizations who have still not adopted the GDPR. To know more about the GDPR policy, click here: https://bit.ly/2GSgZxE

With many organizations adopting cloud, the debate on the data security on the cloud has been on the rise. And with GDPR in the picture, the debate has gone more serious. The main point of discussion in GDPR is how to handle cloud apps under the new policy. According to our latest Netskope Cloud Report, the average European enterprise is using 608 cloud apps. Even after this awareness on the part of IT, the organizations underestimate the figure by 90%. This raises the question that how the cloud adopted organizations can adhere to GDPR guidelines if they serve European clients. This blog will cover if GDPR applies to you, what is covered under GDPR and what to consider when your organization is moving to a cloud or cloud service provider.

Does GDPR apply to you?

According to an article in Forbes, if you are doing any of the business activities in Europe, you must comply with the GDPR:

  • Selling goods or services to EU citizens
  • Operations a website that uses cookies and other technology to monitor traffic that originates from EU
  • Employing EU residents
  • Collecting any data like name, phone number, email id, a photo, an email address, an individual’s bank details, medical information, work performance details, purchases, tax numbers, education or competencies, location, usernames or computer IP addresses

Many organizations will be confused if GDPR applies to them or not. Organization in any country that process anyone’s data i.e. the data that originated in EU is subject to apply GDPR.

Impact of GDPR on the cloud service providers: 

Under the previous GDPR policies, the cloud service providers who are also the data processors for their clients had a few direct responsibilities under the data protection laws. But with the new GDPR policy, the cloud service providers and the client will share the equal responsibility for the data protection. The CSP’s have to determine the best way to make sure that the data stored by their clients on the cloud is as per the GDPR guidelines to avoid any fines and penalty.

What to expect when you are migrating to a cloud or a cloud provider: 

  • Controllers & Processors: For proper implementation of the GDPR policies, it’s important to understand everyone’s role in the process. Prior to the GDPR, the regulation only applied to the “controller” i.e. the person or organization that determines the means of processing the data. But GDPR extends the responsibility to the processor of the data such as a cloud service provider also to protect the data hosted by the controller. The GDPR regulation requires the organizations i.e. the processors to develop and implement internal processes to protect the data. The subcontractors used by the processor also must comply with the GDPR regulations.
  • Both the processor and the controller will share the liability in case of any non-compliance. Andy Alpin of Netskope outlined app compliance on the Cloud Industry Forum:
    • Know what apps your business is using and where is it storing the data. If your data is stored on servers in Europe, the GDPR compliance is mandatory.
    • Only collect the data that is required by your business, block the third parties to use your app data.
    • Get data processing contracts with your app provider, that if you stop using the app, it allows you to fully erase the information from the app. 
  • Data Location: Under the GDPR, both the controllers and the processors should know where their data is located, stored and processed. This helps restrict the transfer of personal data to third countries or international organizations outside Europe. The cloud service providers may use servers outside Europe to host the data, but the transfer of data must be as per the guidelines under the GDPR data transfer principles.
  • Businesses must ensure that the Cloud service providers take adequate measures to protect the personal data of their clients and conduct regular audits to meet the GDPR security requirements. In case any sub-processor is involved, the same applies to them for data protection.
  • Rights of Individuals & Cloud Contracts: The GDPR gives rights to the individuals regarding the use of their personal data transfer of their data or when to erase their data. Though the responsibility of the data falls on the controller, it is the processor’s responsibility to make sure that the infrastructure or services are as per the requirements.
  • Data Centre Providers: Data center providers are an important part of the GDPR which cannot be overlooked. Data Centre Providers are the owners of the physical assets on which the information is stored. DCP’s are responsible for managing the personal like biometrics, video surveillance, employee reports and subcontractor information. The data center providers have personally identifiable information, GDPR compliance that they can create, implement and manage data retention policies which are as per the customer specific needs and local legislation. 

Still struggling to comply to GDPR and confused if it applies to your organization, contact us and our cloud experts will help you with smooth implementation of the GDPR for your cloud migrations. Send us an email at contact@imicorn.com