Using Cloud in the GDPR Era
For many organisations, the EU’s General Data Protection Regulation requires a new level of data governance. Cloud storage can make that trickier.
In industries such as health care and financial services, regulatory requirements have long shaped companies’ use of the cloud. Today, any organisation with data on residents of the European Union faces similar constraints thanks to the EU’s General Data Protection Regulation (GDPR), which took effect in May. GDPR places tight restrictions on the handling of personal data from the EU, and it can have a significant effect on many organisations’ cloud efforts.
Designed to harmonise data privacy and data protection across Europe, GDPR holds accountable all companies that process personal data associated with EU residents, whether customers, employees, or others. Regardless of where the companies themselves are located, they must now handle data about EU-based individuals according to very specific rules. Those that fail to do so could face potential penalties as high as 4 percent of global revenue or 20 million euros.
GDPR’s requirements affect what data is housed and where, how it is secured, and how it is accessed and used. As enterprises embrace public clouds and store data in increasingly diverse environments, it’s critical they understand the regulatory and legal considerations.
The Buck Stops Here
Among the challenges now facing organisations as a result of GDPR is the need to identify, inventory, and maintain a record of all the EU-based personal data they collect and process. They must also incorporate privacy and data protection controls into any systems or processes that involve such data. And when EU residents ask to access their data or have it corrected, erased, or moved, organisations must be willing and able to comply.
‘Rather than waiting for an official audit by regulators, leading organisations are beginning to conduct self-audits of their own compliance.’
These requirements demand a level of data governance far beyond what most organisations have had traditionally, even in their own data centres; when the data resides in the cloud, the challenge becomes even more complex.
Although cloud storage takes an organisation’s data off-site, GDPR compliance remains the responsibility of the organisation that owns the data—not the cloud provider. Think of the cloud as a storage locker: You get the keys, and you’re responsible for what’s inside—even if it’s not on your premises.
Complicating matters further is that regulators will likely perform audits to ensure compliance, and when data is in the cloud, they may seek physical access to the data centres involved. That’s not something cloud providers are accustomed to providing. While they certainly know this possibility is coming, it’s not yet clear how their interpretation of what’s required will mesh with regulators’ expectations.
It will take some time for many of the rules to become more clearly delineated. In the meantime, some companies may avoid doing business in Europe altogether, at least until the dust settles; others may turn away from the cloud because they feel less in control of their infrastructure. For everyone else, a few leading practices can help:
First and foremost, it is important for organisations to do as much as possible to retain control of their own compliance by making sure they understand the regulation and proactively figuring out how they need to change—and how to do it most effectively. Otherwise, regulators will most likely drive that change through audits and penalties, and their priorities will almost certainly be different.
Weigh the costs.
For some organisations, GDPR compliance may be more expensive when data is in the cloud than when it’s in their own data centres because of the extra steps that may be required for monitoring and control. It’s important to break down the costs for each option and understand how they compare—then make infrastructure decisions from there.
Establish key roles.
Much the way health care organisations have created new roles within the organisation to manage HIPAA compliance, so GDPR calls for something similar. A data controller, for instance, typically defines what personally identifiable information the organisation processes, and for what purpose; essentially, this is the person who identifies the data covered by the regulation. The data processor, meanwhile, maintains and oversees the processing of the data and can be held liable for breaches. Finally, the data protection officer, or DPO, is the person responsible for educating the company and serving as the chief contact point for regulators.
Rather than waiting for an official audit by regulators, leading organisations are beginning to conduct selfaudits of their own compliance. Outside consultants can play a key role here by performing mock audits that simulate real ones, helping organisations see where their vulnerabilities lie, whether internally, in the public cloud, or with other business partners.
Don’t freeze up.
Last but not least, it’s important not to let GDPR stifle innovation or freeze the organisation in place. To stay competitive, companies need to maintain their creativity and keep innovating, and to design their systems accordingly. In many cases, the cloud can and should remain a part of that picture.
There’s no doubt GDPR has launched a new era in data management, and cloud storage can add yet another level of complexity to the already daunting compliance challenge. With the right approach, however, the cloud’s many potential benefits can make it well worth undertaking that extra consideration.