Us­ing Cloud in the GDPR Era

For many or­gan­i­sa­tions, the EU’s Gen­eral Data Pro­tec­tion Reg­u­la­tion re­quires a new level of data gover­nance. Cloud stor­age can make that trick­ier.

The Malta Business Weekly - - ENEWS & TECH -

In in­dus­tries such as health care and fi­nan­cial ser­vices, reg­u­la­tory re­quire­ments have long shaped com­pa­nies’ use of the cloud. To­day, any or­gan­i­sa­tion with data on res­i­dents of the Euro­pean Union faces sim­i­lar con­straints thanks to the EU’s Gen­eral Data Pro­tec­tion Reg­u­la­tion (GDPR), which took ef­fect in May. GDPR places tight re­stric­tions on the han­dling of per­sonal data from the EU, and it can have a sig­nif­i­cant ef­fect on many or­gan­i­sa­tions’ cloud ef­forts.

De­signed to har­monise data pri­vacy and data pro­tec­tion across Europe, GDPR holds ac­count­able all com­pa­nies that process per­sonal data as­so­ci­ated with EU res­i­dents, whether cus­tomers, em­ploy­ees, or oth­ers. Re­gard­less of where the com­pa­nies them­selves are lo­cated, they must now han­dle data about EU-based in­di­vid­u­als ac­cord­ing to very spe­cific rules. Those that fail to do so could face po­ten­tial penal­ties as high as 4 per­cent of global rev­enue or 20 mil­lion eu­ros.

GDPR’s re­quire­ments af­fect what data is housed and where, how it is se­cured, and how it is ac­cessed and used. As en­ter­prises em­brace pub­lic clouds and store data in in­creas­ingly di­verse en­vi­ron­ments, it’s crit­i­cal they un­der­stand the reg­u­la­tory and le­gal con­sid­er­a­tions.

The Buck Stops Here

Among the chal­lenges now fac­ing or­gan­i­sa­tions as a re­sult of GDPR is the need to iden­tify, in­ven­tory, and main­tain a record of all the EU-based per­sonal data they col­lect and process. They must also in­cor­po­rate pri­vacy and data pro­tec­tion con­trols into any sys­tems or pro­cesses that in­volve such data. And when EU res­i­dents ask to ac­cess their data or have it cor­rected, erased, or moved, or­gan­i­sa­tions must be will­ing and able to com­ply.

‘Rather than wait­ing for an of­fi­cial au­dit by reg­u­la­tors, lead­ing or­gan­i­sa­tions are be­gin­ning to con­duct self-au­dits of their own com­pli­ance.’

These re­quire­ments de­mand a level of data gover­nance far be­yond what most or­gan­i­sa­tions have had tra­di­tion­ally, even in their own data cen­tres; when the data re­sides in the cloud, the chal­lenge be­comes even more com­plex.

Al­though cloud stor­age takes an or­gan­i­sa­tion’s data off-site, GDPR com­pli­ance re­mains the re­spon­si­bil­ity of the or­gan­i­sa­tion that owns the data—not the cloud provider. Think of the cloud as a stor­age locker: You get the keys, and you’re re­spon­si­ble for what’s in­side—even if it’s not on your premises.

Com­pli­cat­ing mat­ters fur­ther is that reg­u­la­tors will likely per­form au­dits to en­sure com­pli­ance, and when data is in the cloud, they may seek phys­i­cal ac­cess to the data cen­tres in­volved. That’s not some­thing cloud providers are ac­cus­tomed to pro­vid­ing. While they cer­tainly know this pos­si­bil­ity is com­ing, it’s not yet clear how their in­ter­pre­ta­tion of what’s re­quired will mesh with reg­u­la­tors’ ex­pec­ta­tions.

Lead­ing Prac­tices

It will take some time for many of the rules to be­come more clearly de­lin­eated. In the mean­time, some com­pa­nies may avoid do­ing busi­ness in Europe al­to­gether, at least un­til the dust set­tles; oth­ers may turn away from the cloud be­cause they feel less in con­trol of their in­fra­struc­ture. For ev­ery­one else, a few lead­ing prac­tices can help:

Take con­trol.

First and fore­most, it is im­por­tant for or­gan­i­sa­tions to do as much as pos­si­ble to re­tain con­trol of their own com­pli­ance by mak­ing sure they un­der­stand the reg­u­la­tion and proac­tively fig­ur­ing out how they need to change—and how to do it most ef­fec­tively. Oth­er­wise, reg­u­la­tors will most likely drive that change through au­dits and penal­ties, and their pri­or­i­ties will al­most cer­tainly be dif­fer­ent.

Weigh the costs.

For some or­gan­i­sa­tions, GDPR com­pli­ance may be more ex­pen­sive when data is in the cloud than when it’s in their own data cen­tres be­cause of the ex­tra steps that may be re­quired for mon­i­tor­ing and con­trol. It’s im­por­tant to break down the costs for each op­tion and un­der­stand how they com­pare—then make in­fra­struc­ture de­ci­sions from there.

Es­tab­lish key roles.

Much the way health care or­gan­i­sa­tions have cre­ated new roles within the or­gan­i­sa­tion to man­age HIPAA com­pli­ance, so GDPR calls for some­thing sim­i­lar. A data con­troller, for in­stance, typ­i­cally de­fines what per­son­ally iden­ti­fi­able in­for­ma­tion the or­gan­i­sa­tion pro­cesses, and for what pur­pose; es­sen­tially, this is the per­son who iden­ti­fies the data cov­ered by the reg­u­la­tion. The data pro­ces­sor, mean­while, main­tains and over­sees the pro­cess­ing of the data and can be held li­able for breaches. Fi­nally, the data pro­tec­tion of­fi­cer, or DPO, is the per­son re­spon­si­ble for ed­u­cat­ing the com­pany and serv­ing as the chief con­tact point for reg­u­la­tors.

Per­form self-au­dits.

Rather than wait­ing for an of­fi­cial au­dit by reg­u­la­tors, lead­ing or­gan­i­sa­tions are be­gin­ning to con­duct self­au­dits of their own com­pli­ance. Out­side con­sul­tants can play a key role here by per­form­ing mock au­dits that sim­u­late real ones, help­ing or­gan­i­sa­tions see where their vul­ner­a­bil­i­ties lie, whether in­ter­nally, in the pub­lic cloud, or with other busi­ness part­ners.

Don’t freeze up.

Last but not least, it’s im­por­tant not to let GDPR sti­fle in­no­va­tion or freeze the or­gan­i­sa­tion in place. To stay com­pet­i­tive, com­pa­nies need to main­tain their cre­ativ­ity and keep in­no­vat­ing, and to de­sign their sys­tems ac­cord­ingly. In many cases, the cloud can and should re­main a part of that pic­ture.


There’s no doubt GDPR has launched a new era in data man­age­ment, and cloud stor­age can add yet an­other level of com­plex­ity to the al­ready daunt­ing com­pli­ance chal­lenge. With the right ap­proach, how­ever, the cloud’s many po­ten­tial ben­e­fits can make it well worth un­der­tak­ing that ex­tra con­sid­er­a­tion.

Newspapers in English

Newspapers from Malta

© PressReader. All rights reserved.