By Moazzam Adnan Raja, Atlantic.Net
On May 25, 2018, the General Data Protection Regulation (GDPR) went into effect. This new set of standards and guidelines deserves special consideration related to cloud computing. This article reviews what the GDPR is, tactics you can use to best protect information within cloud environments, and how you can identify a cloud service provider (CSP) that takes GDPR compliance and data protection seriously.
This information privacy law, passed by the European Parliament in April 2016, took the place of a data law that was passed by the same body in 1995. The regulation mandates that organizations set up safeguards for the privacy and personal data of those who live in the European Union related to any digital activity within those countries. Additionally, when data of EU citizens is migrated beyond the boundaries of EU nations, the GDPR states that protections must still be in force. These stipulations apply not just to companies located in Europe but to any businesses interacting with this consumer information (i.e., any organization with a website that processes, stores, or transfers the sensitive personally identifiable information (PII) of EU citizens).
The GDPR was enacted because public concern related to privacy and security is high. Statistics cited by CSO senior editor Michael Nadeau reveal just how important this topic is to consumers both within the EU and outside it: from a poll of 7500 consumers in the United States, United Kingdom, Germany, Italy, and France, 80 percent said that losing financial data was a major concern. Furthermore (and of great importance to business), nearly two-thirds of respondents (62%) said that they would consider the applicable company rather than cybercriminals at fault if their information was stolen.
Keeping your organization’s cloud ecosystem compliant with the GDPR requires a thorough and multi-faceted approach. Here are five core tactics you can use to keep your company protecting data as it must in order to meet these critical guidelines:
It is first necessary to identify all of the cloud systems that you are using. Consolidate apps so that you do not have multiple ones performing the same function. Sign an updated data processing agreement with all these vendors that adhere to the rules of the GDPR. Also, find out where the data resides for each of your cloud partners. Be certain that you know if data is just being processed and stored in one data center, or if it is reliant on servers within several facilities.
One key way to protect yourself is to avoid gathering unnecessary data. You should also carefully restrict any “special” information (that referring to parameters such as race, ethnic background, religious identification, or political affiliation) that you handle. It should be clear within any data processing contracts with CSPs that the system will only gather information from your users and company that the app must have in order to work correctly. These agreements should also state the limitations that will be placed on any special data collection. Furthermore, they should indicate that you are the owner of the data and that it cannot be shared with any outside parties.
You, of course, must protect your systems, but it is also necessary to let the regulators know whenever your setup fails and a breach occurs. This process relies heavily on your relationships with CSPs since you will need their assistance to get the necessary information to the authorities quickly and accurately. Since that is the case, you must be certain that the vendors you entrust have a knowledgeable staff that is able to identify breaches and respond to them immediately (see the below section on finding a provider). Keep in mind that you do not just have to worry about fines but consumer trust since the details of these breaches will be published. Plus, joint and several liability is assigned to the cloud provider per the GDPR, so both the data controller and data processor can be held accountable in court by any parties whose information is exposed.
Assess all the cloud apps and other elements within your ecosystem to ensure they meet your security policies. Either stop using or create additional controls for ones that are not fully compliant with your standards. Writing in the Cloud Industry Forum, Andy Aplin highlighted his organization’s software that checks cloud applications using nearly 50 guidelines, automating discovery and streamlining the process so that you can locate gaps and compare different services efficiently.
Your agreement with the cloud provider should include language on how data removal would occur after you stop using the service. You want to know how long it will take them to delete your information once you cancel so that your exposure is as limited as possible.
Of course, you can ask questions, but you should also clearly see that the CSP is focused on security and compliance – so that any modifications to policies and procedures in response to the GDPR are tweaks rather than overhauls. Partnering with cloud vendors who are deeply concerned with privacy and security will not just ensure that you can maintain GDPR compliance but that you don’t have to do all the heavy lifting along the way.
Author Bio: Moazzam Adnan Raja has been the Vice President of Marketing at Atlantic.Net for 14 years. During Raja’s tenure, the Orlando-based, privately held hosting company has grown from having a primarily regional presence to garnering and developing attention nationwide and internationally. In collaboration with a skilled and dedicated team, Raja has successfully led a full spectrum of marketing campaigns, as well as handling PR work with major news outlets and the formation of key strategic alliances.
We are proud to provide objective and impartial benchmark data on this website. VPSBenchmarks receives support from some of the providers featured here but all tests are conducted the same way regardless of our relationships with them.
If you find our benchmarks valuable, you can help by making your cloud purchases using the Provider Affiliate Buttons displayed throughout the site.
All tests that were recently conducted at VpsBenchmarks: