Cloud Suppliers and GDPR; How to Ensure you Find the Silver Lining?

We live in increasingly digital times, and citizens expect their on-line activities to be conducted from wherever they happen to be – using their smartphones or tablets. Very few spare a thought for how that is even possible, which will almost certainly involve the use of cloud services, and which in reality, will probably be being delivered by organisations they have never heard of in locations unknown. There is a high degree of “blind trust” that the citizen data will be safely handled by these cloud services.

Of course, that’s the most likely citizen perspective (if they care at all). For those organisations looking to take the traditional manual, paper-based services into the cybersphere, carefully selecting a credible cloud service provider becomes an important consideration which will help to underpin the companies’ approach to security and privacy of personal data. With the European Union, General Data Protection Regulation (EU GDPR) arriving in May 2018, choosing the right cloud service provider could greatly help (or indeed hinder) an organisation’s GDPR compliance levels.

Data privacy is underwritten by information security, which extends to the technical, operational and personnel controls which deliver the physical cloud infrastructure itself. To avoid data breaches, unauthorised access or damaging virus or malware attacks, potential cloud service providers should readily be able to demonstrate their capabilities, and the customers should ensure they are in a position to understand their responses. It should be expected that the more comprehensive the provision and the better the level of service then the higher the price, but that’s a consideration against the reduced risks of financial penalties arising from a data breach taking place.

[easy-tweet tweet=”As a data processor, citizens need to understand where their data is.” hashtags=”Data, Cloud”]

Cloud service providers should be transparent about where their hosting and support facilities are located. As a data processor, citizens need to understand where their data is, and the legal framework which applies to those locations. While the European Union is harmonising under GDPR, different rules apply within the United States and other non-European nations. Advice should be sought to understand the prevailing legislation, or whether an alternative commercial approach is sufficient to protect the personal data that would be processed within the cloud service.

There’s also need to rely upon the co-operation of a chosen cloud service provider to ensure that the increased range of subject rights which arrive with GDPR can be properly actioned within (in most cases) 30 days of receipt. Subject access requests, the correction of inaccurate data, or the request to erase personal data, to name a few, will require clear and efficient co-ordination between the customer and their cloud service provider, and technically complex infrastructure must be able to support such requests. Consideration also needs to be given to any back-up, archived or declared sub-processor involvement in data processing.

There’s a lot to think about when selecting a cloud service provider, but on the other hand a properly justified procurement decision will undoubtedly deliver benefits to the customer. The scale and resilience of most cloud providers, combined with the monitoring, maintenance (e.g. patching) and physical protection of their assets will be greater than most standalone customers can deliver, and activities such as these are crucial to preventing and detecting many forms of data loss, theft or compromise. It should be expected that the focused competences of suppliers cloud analysts and engineers, normally on a 24×7 basis, will again provide protection and tighter SLA commitments than the customer could ever manage.

Third-party cloud services will need appropriate time and resources from the customer to ensure that they are selected and managed effectively. Customers will need to understand and disclose the nature of any external data processors such as cloud service providers within privacy notices and Data Protection Impact Assessments (DPIA), such that citizens can make an informed decision about whether they are content to have their data processed in the manner prescribed. Article 35 of GDPR mandated “privacy by design”, and as such, all data processing activities need to be designed and implemented with privacy-related activities as the main focus.

The preparation of a well-structured DPIA (such as those provided by the utopian solution from InfoSaaS) will by necessity need to involve engagement with any contracted cloud service provider, recognising that the customer (as data controller) and their data processors need to closely work together to ensure that personal data is maintained securely, the obligations of GDPR can be properly met, and the rights of citizens as data subjects can be delivered within the required timeframe. Customers are advised to identify the “Data Protection Officer” within the cloud service provider, as this individual plays an essential role in communicating the requirements of GDPR internally and ensuring that the implementation of data protection activities is effective.

Selected carefully and managed closely, cloud services can greatly assist organisations achieve compliance with GDPR. About potential fines of up to €20m (£17m) or 4% of global annual turnover for data breaches under GDPR, choosing wisely is a small price to pay.


+ posts


Related articles

Don’t lose sight of SAP on Cloud operational excellence

Digital transformation projects can often become complex with twists and turns, which can lead organisations to focus solely on the migration itself.

Need to reduce software TCO? Focus on people

Investing in software is undoubtedly important for enterprises to stay ahead. However, the process is rarely a simple task for CIOs and IT leaders.

The future of cloud and edge optimisation

As more enterprises use multi-cloud and hybrid infrastructures, the danger of cost overruns and loss of control increases.

Here is how to stage a public cloud migration

As the relationships between CSPs and cloud providers are deepening, CSPs need to develop a clear strategy on how they add value to customer relationships.

The future of work is collaborative

As hybrid work models continue to gain traction, businesses will need to start implementing collaborative tools and processes to meet the needs and expectations of the upcoming workforce, seamlessly integrating them into existing workflows to enhance productivity and performance. Innovations in technology, including AI and machine learning, mean that organisations are in a better position than ever to shape the collaborative future of work – and with the right support in place, they can ensure that these digital tools continue to bring out the best in their workforce for years to come.

Subscribe to our Newsletter