Ever since the new European regulation on the protection of personal data (GDPR) was voted in, businesses have started their countdown to the transition that will take place in May 2018. They now have less than 18 months to comply with the new European regulation and the consequences of its requirements in terms of data protection: strengthened cybersecurity, liability of data collection entities and new mandatory procedures.
What sets the GDPR apart from earlier legislation relating to the protection of private data is the paperless, digital and transitional aspects of the data from a legal viewpoint. This gives rise to a host of critical issues in cybersecurity and also marks the first time that data is being considered in a borderless context.
Even as the ink was drying on the new regulations, millions more businesses were migrating into the cloud, which will account for why Gartner projected public cloud services growing 17.2 per cent in 2016. And it is this vast expansion that means the issue of protecting European data now has a whole new dimension.
For businesses who are operating in the cloud, there are several aspects of GDPR that have to be taken into special consideration to ensure compliance. The first is that by its nature, data held in the cloud is entrusted to a third party (sub-contractor) and is de facto hosted elsewhere, and leaves the business’s actual physical premises. Businesses, therefore, must be sure that the cloud hosting provider can deliver the right level of security, produce logs in the event of an incident and produce them as and when they are required. This provides a guarantee to the business in its capacity as a client and forces cloud hosting providers to equip themselves with mechanisms to record logs and report alerts as well as the entire cybersecurity arsenal that should be included anyway in any credible cloud solution.
The second aspect relates to delocalisation and the threat of espionage. Since the data is digitised, migrating it to the cloud can result in it crossing certain borders. This is, in fact, a major risk that needs to be closely monitored and for which solutions do exist. Even in the scope of the GDPR and the tense international context currently, some businesses may have data hosted outside Europe, sometimes tied to their economic models, or due to their corporate structures or because a value-added application does not offer hosting within the EU.
The regulatory nature of the GDPR will push migrating businesses and cloud providers to adopt the following approaches: European businesses should choose data hosting in a European country (not the UK, which will be leaving the EU) in order to ensure that the cloud provider will be duty-bound to comply with the restrictions imposed by the GDPR in processing data.
Brexit does not mean exit from GDPR
UK businesses should not think that because the UK is leaving the EU, they will not need to comply with GDPR. Firstly, the GDPR is scheduled to go into effect in May 2018, which will fall before the UK’s exit from the EU, and penalties for non-compliance will apply during that period. Secondly, it is quite likely that the UK will adopt the GDPR in order to protect its citizens’ personal data and to be competitive whilst trading in Europe. The other consideration is for European companies working in the UK, or UK companies working in Europe who would also be bound by GDPR.
What to expect if you are migrating to the cloud or a cloud provider
The regulatory nature of the GDPR will push migrating businesses and cloud providers to adopt the following approaches. Cloud providers will have an obligation to provide:
- Guaranteed ease of changing host providers
- Reporting of incidents within 72 hours and presentation of logs within 72 hours
- Written procedures that can be produced upon request
- Absolute guarantee that data will not be processed by the hosting company without prior authorisation of both the client and the collecting entity.
- Ensuring that data processing goes through documented procedures. This applies whether the business conducts such procedures itself or they are done on behalf of the business. These procedures will be required to be evaluated during audits
By the same token, businesses will also have a duty to their data subjects as follows:
- Appointing a data controller (liaising with the potential cloud provider and authorities in the event of an audit)
- Clear explicit consent required from the person concerned to process his or her personal data. Once again, the business must clearly express how it intends to use the data it collects or with which it has been entrusted.
- The right to be forgotten on request. This newly established right forces businesses to provide “the clear and straightforward possibility” of erasing an individual’s or another business’s data simply upon request: this means that databases of client and prospective clients can only exist with the consent of the company’s contacts and that the company must provide a simple way for its contacts to erase their data if they so desire.
- The right to move data from one service provider to another. The business will take responsibility for this procedure which must be easy, quick and upon the contact’s request.
- Complete and unambiguous information from the collector regarding the processes applied to collected personal data. The protection of personal data is a fundamental right incorporated in Article 8 of the EU Charter of Fundamental Rights and is closely linked to “respect for private and family life”.
- The right to notification within 72 hours if data is compromised and/or a security incident has occurred. This is one of the new and critical points of the GDPR that businesses will have to bear in mind when choosing a cloud service situated outside the borders of the EU or if they decide not to host data in the cloud. For others, the European hosting entity will handle the ins and outs of this restriction, but it will have to be negotiated when signing the contract since in the eyes of the European regulation, the data collector is the party responsible for compliance.
- The guarantee that privacy policies are explained in clear and unambiguous language. Moving out of the GDPR-compliant countries would be like choosing to absorb a whole new set of risks – since the hosting entity outside the EU will not be bearing them, they will be passed on to the European company collecting such data.
There is a great deal of help for companies in the cloud who want to get best advice in preparation for GDPR. Specialist law firms can provide guidance and there are even dedicated legal tools online. Consultants can offer analysis following an audit, which helps companies to better manage the digital transition while taking into account the constraints of the GDPR. Ensure the cloud host can provide provable compliance with GDPR.
In addition, it is vital to be equipped with the best cybersecurity solutions. Being cautious and opting for solutions that have been certified by the recognised country authority, will ensure the effectiveness of the protection. It is also important to remember that the onus will be on the organisation that collects and hosts the data to ensure it provides an adequate level of security in order to maintain the integrity of its data.
A Jocelyn Krystlik's paper, published on Cloud Computing News in March 2017.