The General Data Protection Regulation comes into effect in the European Union on May 25, 2018 and will have an impact on cloud computing, particularly in relation to data privacy.
The fact that more and more businesses have migrated to the cloud means that this could pose potential challenges for those which are not yet compliant with data protection laws.
A cloud service provider processes personal data stored within databases or servers, on your behalf: The controller.
Businesses hold personal information that belongs to their clients and entrust it to be stored on the cloud. Security risks include hacking, espionage, loss of data and risk of information leaks.
Within the EU, the physical location of data is a decisive factor to determine which privacy rules apply. Because data is moved around the cloud at any given moment, this gives rise to challenges because the jurisdiction may not be immediately apparent.
As a result, the exercise of rights of data may be subject to different conditions depending on the jurisdiction. It is therefore of paramount importance to ensure that data is encrypted, handled and stored reliably.
Under the GDPR, personal data may not be stored longer then needed for the predefined purpose. This means that businesses and cloud service providers must find effective ways of implementing this regulation and purging records whenever necessary. Again, the problem of data movement becomes an issue. To ensure full compliance, backups must also be identified and deleted.
It is essential that businesses are aware of the conditions under which cloud service providers store and delete data.
Breach protocols must be defined and set out in data processing agreements with cloud providers. A breach event must have a response procedure and under the GDPR rules, the provider must notify the controller immediately.
The controller must also notify the relevant authorities if such an event takes place. To ensure security, the GDPR stipulates that personal data stored on the cloud is encrypted so if there is a breach, the information will be useless to those who may have stolen or acquired it.
Under the GDPR, cloud service providers must perform Data Protection Impact Assessments and audits must be incorporated into any agreement.
Cloud providers can demonstrate compliance with security and Privacy by Design in several ways:
- DPIA results;
- ISO 27001 certification (information security management system);
- ISO 27018 certification (code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors).
Privacy and data security
Put simply, the biggest effect that the GDPR will have on cloud computing is to tighten up security of data storage and to ensure that they way and time that records are kept are in line with legislation.
The GDPR also ensures that cloud data storage is encrypted and that there is a disaster scenario procedure to cater for any such breaches.
The GDPR will also affect non-EU cloud providers because demand from Europe for such services is huge, while many cloud providers are not based within the EU bloc.