The GDPR requirements list is long and complex, but more so for businesses operating in the cloud. Not only do businesses operating in the cloud need to keep track of their own compliance efforts, they also need to monitor the compliance of cloud service providers and the cloud-based apps they use.
We will cover some of the items that should be included on a GDPR requirements list for businesses operating in the cloud. It’s not intended to replace a list of GDPR requirements for businesses´ general operations but highlights some of the additional factors businesses operating in the cloud need to consider.
What did the cloud do to upset the EU?
If you’ve studied the GDPR requirements list, you might be wondering what the cloud did to upset the EU so much. The list of GDPR requirements for businesses operating in the cloud is so extensive some commentators suggest compliance has been made deliberately difficult in order to payback companies such as Facebook, Twitter, and Google that have abused individuals´ data for years.
As these commentators may have a point, the groundwork for the General Data Protection Regulation was started back in 2012—long before the Cambridge Analytica scandal—with the objectives of bringing data protection laws into line with how individuals´ data are being used, and standardizing the law across all EU member states.
Prior to the introduction of GDPR, the EU´s data protection laws were based on a 1995 “Directive” which could not have possibly foreseen the explosion of cloud computing. Although the list of GDPR requirements creates a considerable amount of work for businesses operating in the cloud, the standardization of data protection laws is expected to collectively save businesses €2.3 billion annually.
The unique challenges of GDPR for businesses operating in the cloud
The unique challenges of GDPR for businesses operating in the cloud stem from not always knowing where data are processed and stored, how the data is secured, or how to access the data. In public cloud environments—where data processing and storage facilities are shared—the risk of information leakage or a data breach is significantly increased.
Because data can be transferred from one region or availability zone to another, it can also be a challenge to determine which sets of data security and privacy laws apply. Naturally, if data is processed and stored within Europe, GDPR will apply. However, if GDPR-covered data is processed and stored outside Europe, not only must the location in which the data is processed and stored have security and privacy laws equivalent to GDPR, the location may be subject to further data protection requirements.
This issue extends into the commitments made to data subjects by each business´s Privacy Policy. If a cloud service provider or cloud-based app operates in multiple jurisdictions, it may be difficult to comply with the Rights of Individuals. Businesses operating in the cloud need to establish whether the cloud service provider or cloud-based app they are using will support their GDPR compliance efforts, or create obstacles to compliance that may be difficult to overcome.
GDPR requirement: cloud service providers
In order to better highlight some of the additional factors businesses operating in the cloud need to consider, we have created one list of GDPR requirements for cloud service providers and another for cloud-based apps. The lists are not exclusive, and may not apply to all businesses in all circumstances—which is why we are they are factors to consider rather than necessarily act upon.
Check the security of data
As a Data Controller—a business that subcontracts data processing to a cloud service provider—you have no control over the measures implemented by the cloud service provider to protect your data. Make the first item on your GDPR requirements list checking to what extent the cloud service provider is able to comply with your (and GDPR´s) security requirements.
Establish visibility into data collection
As you’re required under GDPR to only collect data for the lawful purpose it’s intended, it’s important that you have absolute visibility into any metadata collected by the cloud service provider. Questions you should be asking your cloud service provider include who owns the metadata, what level of protection does it have, and how is the right to opt-out of having metadata collected dealt with.
Implement retention and deletion policies
Under GDPR, personal data must not be retained for longer than required to serve its lawful purpose. This can create conflicts for businesses where other regulations stipulate data must be retained for a minimum period. You will need to establish what data needs to be retained and organize a system in which all unnecessary data stored in the cloud—including data maintained on backups—can be deleted.
Ensure subject access requests can be fulfilled
Compliance with the Rights of Individuals is one area the EU´s Data Protection Authorities will be scrutinizing closely. Not only is it necessary for you to supply a full data set of an individual’s personal information when requested, but also—in order to comply with the Right of Portability—that it is provided to an individual in a structure, commonly-user, and machine readable format.
Coordinate data breach notification processes
Data breach notification processes must be included in data processing agreements with cloud service providers. The agreements must define what constitutes a data breach and describe the procedure the cloud service provider must follow in order to notify your business´s Data Protection Officer (DPO) in a timely manner.
GDPR requirements: cloud-based apps
It’s important businesses conduct an audit of the cloud-based apps they use to ensure they are GDPR-compliant.
Know the location(s) where apps process and store data
In addition to ensuring the cloud-based apps your business uses meet GDPR privacy and security requirements, you should find out where the apps process and store data. GDPR imposes restrictions on the transfer of personal data outside the EU to ensure the level of protection afforded to individuals is not undermined.
Create policies to only use GDPR-compliant apps
Employees can work on-premises, remotely, on their own mobile devices, or on managed BYOD devices. Due to the need to safeguard the integrity of personal information collected from EU data subjects, you need to create policies to ensure your employees only use GDPR-compliant apps that meet your security standards for protecting personal data from loss, alteration, or unauthorized processing.
Execute an agreement with apps used for data processing
It is important you execute an agreement with any app used for data processing. You’ll need to ensure they are adhering to the data privacy and security requirements of GDPR, are only using the personal data shared with them for the lawful purpose stated and—if the apps also collect data on your business´s behalf—only collect the necessary data to perform the lawful purpose stated.
Ensure the Rights of Individuals are upheld
The final two items on this GDPR requirements list are similar to those that appear on the list of GDPR requirements for cloud service providers—the Rights of Individuals and Data Retention/Deletion. Any cloud-based app your business uses should be able to release data quickly in order to fulfil Subject Access Requests. It should also be possible to correct data easily when requested.
Implement processes for data retention and deletion
In most scenarios, if you stop using an app, you want to be in a position where you can download all the date you have uploaded onto it or it has collected on your behalf. There may also be situations in which you need to delete the data of a single individual. Processes should be put in place to facilitate the retention, deletion, and portability of data within the allowable timeframes.
Start compiling your list of GDPR requirements today
The GDPR requirements lists featured above are just the tip of the iceberg for some businesses. Once the lists have been compiled and audits completed, there them comes the process of identify areas or non-compliance and implementing measures to address them. After that, mechanisms need to be put in place to ensure ongoing GDPR compliance.
