GDPR D-Day: What Happens if Your Cloud Computing is Not GDPR Compliant?

With it being GDPR D-Day, what happens if your cloud computing is not GDPR compliant? We look at some of the consequences of non-compliance and some of the ways in which you could get found out. The conclusion is it is not worth risking a substantial penalty by ignoring the GDPR compliance requirements.  

GDPR D-Day is today. By today, you must be cloud computing GDPR compliant if you collect, process, or store the personal information of EU “data subjects”- or face the consequences. But what are the consequences? How will Data Protection Authorities be aware your cloud computing is not GDPR compliant? Is it worth taking a chance? (The answer to the final question is “NO!”)

You should be aware of the GDPR compliance requirements by now. If not, we have written a few blogs about the subject you are invited to review:

• How GDPR Will Impact Company Executives

• GDPR Requirements List for Businesses Operating in the Cloud

• Is Your Business Located in One of the Countries Affected by GDPR?

• What is a GDPR Retention Policy and How Should it be Implemented?

So, what happens if your cloud computing is not GDPR compliant?

If your cloud computing is not GDPR compliant today, you don´t necessarily have to have experienced a breach of data in order to be in violation of the Regulation. You could be violation of the Regulation for failing to advise visitors to your website how their personal information—including IP address—is collected and processed, and who it is shared with.

You could be in violation of the Regulation for collecting more personal information than is necessary for the “lawful basis” of processing it, or for maintaining a database of personal information no longer required for processing. There are dozens of ways in which you could be in violation of GDPR and, if it comes to the attention of a Data Protection Authority, there will be consequences.

The extent of the consequences is widely reported as “up to €20 million or 4% of global turnover”. This level of penalty is unlikely to be applied today or in the short-term thereafter; but the consequences could still be significant depending on:

• The nature, gravity and duration of the violation taking into account the number of data subjects affected and the level of damage suffered by them.
• The intentional or negligent character of the violation, and any safeguards put in place to mitigate the damage suffered by data subjects.
• The technical and organization measures implemented prior to GDPR- D-Day in the pursuit of compliance with the Regulation.
• Previous violations, previous attempts to remedy previous violations and the degree of cooperation with the Data Protection Authority.
• The manner in which the violation became known to the Data Protection Authority (see “How on Earth … …” below).
• The failure to obtain the clear and unambiguous consent of a data subject before collecting, processing and storing their personal information.
• The failure to process a Subject Access Request within the thirty day time limit or the failure to comply with the “Rights of Individuals”.
• Any infringement of an EU member state data protection law not covered by GDPR.

If a violation of GDPR is discovered or a breach is reported to the member state´s Data Protection Authority, the potential penalties vary from “No Action” (for minor violations where it is clear the business has tried its best to comply with GDPR) to a “Reprimand”, to a “Data Processing Ban” (can be temporary or permanent), to a financial penalty up to the widely reported €20 million/4%.

The most severe penalties will likely be applied to businesses that violate the rules relating to consent, Subject Access Requests and the Rights of Individuals. This is because the whole purpose of GDPR D-Day is to give EU data subjects more say over how their personal information is collected, processed and stored. Cooperation with the Data Protection Authority will also be a significant consideration.

In order to comply with this area of GDPR, businesses need to know how their cloud computing operations collect, process and store data. They also need to know who data is shared with, if the person(s)/app(s) with whom the data is shared is GDPR compliant, and how data is stored. It is also important to have a data retention policy for your business and for any third parties if data is shared.

How on earth would a data protection authority find out?

There are millions of businesses and billions of software applications subject to GDPR compliance, so it would be really unlucky if your non-compliant cloud computing business came to the attention of a Data Protection Authority. Right? Wrong. Data Protection Authorities are expected to be busy from GDPR D-Day onwards as data breaches are reported and investigations launched.

Even if no data breach occurs due to your non-compliant cloud computing operations, it only takes a complaint from one of your customers to launch an investigation if he or she is aware GDPR D-Day and has a bad experience with your business. It could be a malicious and completely unfounded complaint, but the disruption it would cause your business—and the potential consequences—could be costly.

Malicious and unfounded complaints brings us to the actions of your competitors. Imagine how you might feel if, for two years, you had been preparing for GDPR D-Day conscientiously, only to find your closest competitor had benefitted commercially by not investing in compliance requirements. Might you report them? Might one of your competitors report you for the same reason?   

GDPR enforcement action could be the least of your worries

Regardless of how your non-compliant cloud computing business comes to the attention of a Data Protection Authority, GDPR enforcement action could be the least of your worries. If you are found to have violated the Regulation, GDPR requires Data Protection Authorities to maintain public lists of data protection impact assessments similar to the OCR´s “Wall of Shame” in the United States.

This may not only damage your business reputation, but a publicly-accessible list of data protection impact assessments is like an invitation to a cybercriminal to hack your software. A €20 million fine or 4% of your global turnover could be nothing compared to the damage a cybercriminal could do if the reason for GDPR enforcement action is a lack of adequate security measures.

Consequently it is not worth taking a chance that your failure to prepare for GDPR D-Day will go unnoticed. If you have not already conducted a data audit to determine how your cloud computing operations collect, process and store data – and with whom it might be shared – you had better start today.