3 key steps to vet cloud services for GDPR compliance
The General Data Protection Regulation is now EU law and will come into effect on May 25, 2018, bringing with it a host of challenges for organizations throughout the world. While the law is termed “general,” it might more accurately be called “global.”
No matter where a company is headquartered, if it holds data on EU citizens, non-compliance could result in steep fines. With due diligence, these fines, which can add up to over $20 Million or 4 percent of a company’s annual global turnover, can be avoided. However, the challenges are multifaceted and include the need for compliance both internally as well as working with service providers that are also adhering to the provisions of GDPR.
Vetting the ability of service providers to comply with GDPR before engaging them is a great way to get a jump start on ensuring a company’s entire compendium of data is up to scratch.
Getting your own house in order isn’t enough
GDPR replaces the pre-social media Data Protection Directive, and seeks to enshrine into law EU citizens’ right to control how personal data is stored, processed, and shared.
One of the most discussed provisions of GDPR is Article 17 – Right to Erasure – commonly referred to as the “right to be forgotten.” Under this requirement, individuals have the right to have personal data erased and to prevent processing in specific circumstances.
For individual companies, the need to work with a cloud service provider that has standards in place to handle these erasure requests is essential for ensuring their own compliance. Working with a cloud provider that makes submitting erasure requests easy allows companies to avoid bottlenecks in responding to requests that are out of their control.
An even more important consideration is the potential risks emerging from a company’s use of cloud-based tools. For example, a company using a cloud-based collaboration tool might inadvertently put user data in an unsecured position. Without measures in place to address GDPR requirements, something as simple as a sensitive cloud-hosted document viewed on an employee’s smartphone could be problematic under the law.
Collaboration tools are just a sliver of the cloud services that companies need to consider. Today, rather than storing business-critical data like customer transactions on-premises, many companies store data on more flexible cloud platforms like Amazon Web Services (AWS). Data analytics is increasingly moving to the cloud as well, with compute as well as storage functions on platforms not directly under a company’s control. All are potentially subject to GDPR regulations (and fines for non-compliance).
In many cases, even careful, compliant, and secure companies can find their users’ data somewhat haphazardly strewn across the internet on cloud platforms, which is a situation that EU regulators clearly have both a shrinking tolerance for, and the regulatory muscle to combat across oceans and borders. With the prevalence of cloud-based tools in business today and the massive, wide-ranging data footprint that comes with them, companies must thoroughly vet their cloud service providers’ own compliance standards to be sure they’re also staying compliant.
How to vet your cloud service providers
Below are key indicators your cloud services are ready for GDPR:
1. Nitty gritty details are a good sign. The best way to be sure your cloud service providers are taking GDPR seriously and not putting your business at risk is to only work with providers that make the details of their readiness explicit from the beginning. GDPR outlines these details in Article 25 (“Privacy by Design and Default”), which can help to determine if these services are built from the ground up to meet the rigorous personal data privacy guidelines of the GDPR. For example, cloud services should be able to address the access, rectification, and erasure rights of users.
2. EU Citizen Data should be easily identifiable. Cloud providers that are compliant with GDPR will be able to show that they have the ability to segregate access or isolate EU citizen data so that only authorized and GDPR trained staff have access to that data. Ideally, cloud providers deliver the flexibility to store EU citizen data in datacenters physically located in the EU, or have partnerships with firms that provide that capability
3. Search Performance and retrieval performance is critical. Cloud providers must be able to respond quickly to EU citizen inquiries who believe that their personal information may have been used inappropriately (Article 15 – “Right of Access”). Meeting this requirement is time sensitive, and providers must have the functional capabilities to quickly search and retrieve information – regardless of how much data they have stored.
As we saw at ILTACON17, GDPR provides an opportunity for firms and services providers to demonstrate that they take data privacy seriously. With the amount of data that lives in the cloud today, a good service provider can help take some serious compliance pressure off your own shoulders; equally, a bad one could be an expensive nightmare.