Achieving GDPR compliance in the cloudNot entirely without dark clouds ...
Choosing a cloud solution can mean some "dark" clouds to take into account if it is personal data.

In recent years, many companies have moved to the cloud due to the potential for  cost savings and scalability. However, the new General Data Protection Regulation (GDPR) has created a new barrier for companies providing software as a service (SaaS), platform as a service (PaaS) or infrastructure as a service (IaaS) applications in the cloud and GDPR costs are already high .

When a company uses a cloud provider, the provider is considered in accordance with GDPR terminology to be a personal data assistant and the company is considered to be responsible for personal data. The person responsible for personal data retains ownership of the data. The personal data assistant must follow the instructions from the personal data controller regarding how the data is processed. In this regard, there are some unique challenges that companies should consider. 


Cloud-specific challenges for GDPR compliance

In general, GDPR compliance requires investment in technology, personnel and legal expertise. All this can be expensive. Here are some other unique challenges for GDPR in the cloud: 

Implementing data storage, deletion and portability         

Before "confirming" the movement of the information up in the cloud, it can be good to examine where the information ends up.

The GDPR not only protects users' right to request relevant information about themselves but also the right to request deletion of data or transfer of it to another controller. Meeting these requirements is complicated in a local environment where companies have control over storage. Cloud storage in multiple locations makes storage, deletion, and portability more complicated. Businesses and cloud providers need to coordinate globally to meet each individual request. 

Coordination of intrusion messages

Personal data controllers must notify authorities and users in the event of a data breach within 72 hours, even if there is a breach on the part of the cloud provider, that information must be provided to the authorities and users as soon as possible. The agreements between companies and cloud providers must be correct in order to avoid confusion regarding ownership of data. This will be an ongoing problem for any business using the cloud.

Maintaining data integrity

Cloud data is often shared between different regions, countries and even continents. If the information is outside the EU, there are other laws that apply. Among other things, the requirements for you as Personal Data Manager will be higher. In addition, cloud providers allow data to be moved from one location to another or allow data to be stored in multiple locations for faster access. Deciding which laws to apply regarding data integrity can be a complicated data management problem.

Consolidation of cloud architecture and built-in integrity 

GDPR requires built-in integrity, which means that the infrastructure and business methods must have integrity proactively embedded in the systems. However, companies do not have direct control over the cloud architecture. In a GDPR world, companies need to regularly monitor cloud providers' systems to ensure that the principles of embedded privacy are met. 

Compliance with safety requirements 

Companies must ensure that their cloud providers comply with the GDPR's security requirements. Various authorities are developing certifications. Cloud providers can use these certificates to demonstrate compliance. However, it is the companies' responsibility to ensure that they store data with a cloud provider that complies with the GDPR. 

To design a compliance process for GDPR in the cloud

For a small business, GDPR's cloud compliance may seem overwhelming at first and it can not be denied that it involves a lot of work, but a step-by-step strategy can help make the data more manageable: 

Establishing an action plan to divide the implementation process into more transparent parts is almost necessary. 

  • Prepare:  Start with an overview of which of the GDPR's rules and regulations apply to your specific business. Form a team that will devote all its resources to GDPR tasks. 

  • Review: The team can begin reviewing the various data processing procedures. At this stage, you create a more detailed picture of where your information is located. Companies often underestimate how many cloud services they use . The review will give you a chance to get a more realistic view of all the data that is spread across different cloud applications. 

  • Analyzes: Take the review tasks and analyze them to get wonderful with your applications, platforms and processes. You want to find out where you can optimize and how much it will cost, as well as identify problem areas. 

  • Create an action plan:  It is time to develop measures to take to make infrastructure and process changes. The action plan will help you deal with issues systematically. It breaks down overwhelming data into smaller parts. As a controller, you need to direct your cloud provider or controller to provide the services you need. In addition, if you discover that your cloud provider does not have certain provisions in the agreement, make sure that you renegotiate so that the agreement complies with the Data Protection Ordinance. 

  • Manage:  GDPR is a complicated legislation that will be developed. You must therefore continuously monitor and ensure that you change your applications and systems as new requirements are introduced. 

Cloud providers are active partners

Companies can not offer fully compatible services without the help of cloud providers. So it is important to promote good relationships with them. As record keepers of data, they will be an active partner on this journey. Their help can make a huge difference in terms of time and cost of achieving GDPR compliance.

Pierre Gustavsson
GDPR Coach, Arbore AB

Your local GDPR partner in Northwest Skåne!

Contact  Arbore AB  for help getting started!

Expansion of AWS in the Nordic Countries