If your organisation uses Cloud services, you’ll be aware of their many benefits. But have you thought about the data protection risks? With the EU General Data Protection Regulation (GDPR) taking effect on 25 May 2018, this question is more pressing than ever.
The apparent security of the Cloud has led some organisations to store as much data in it as possible. However, the Cloud is vulnerable to breaches, and organisations are responsible for the security of any data stored in it. This gives organisations less control over the way their data is stored and protected.
No one expects organisations to stop using the Cloud, but the European Data Protection Supervisor (EDPS) has released guidance on minimising the risks associated with it. The recommendations form the basis for a proposed EU regulation on Cloud computing and is in line with the requirements of the GDPR.
Things to consider
Research is essential, says the EDPS. You should learn as much about the practices of various Cloud service providers (CSPs) as possible before committing. You should also seek advice from organisations that have worked with each CSP. This will help you identify the data protection safeguards that are needed to stay secure and compliant with relevant laws.
If you can’t find adequate safeguards, the EDPS urges you to find less risky Cloud services or avoid using the Cloud for that data.
Even if you are happy with the proposed safeguards, you’re not quite ready to go. The guidelines advise that you first identify the necessary roles for using a CSP, allocate relevant tasks and resources, and set up internal policies, processes and procedures to manage the Cloud services.
You should also train decision makers, business owners, contract managers and IT staff on data protection risks arising from Cloud services, and request that contractors also be trained.
Working with the CSP
The final step is to agree with the CSP that:
- It will process personal data entrusted by your organisation solely on your documented instructions;
- Those authorised to process the personal data are committed to confidentiality or are under an appropriate statutory obligation of confidentiality;
- The responsibilities and liabilities of the different parties (including sub-processors, if any) have been outlined;
- It will support your organisation in fulfilling its obligations as a controller towards the data subjects and the EDPS;
- There are provisions giving your organisation the right to audit the CSP (by itself or via a third party);
- Your organisation knows the location of the CSP and any sub-processors;
- Your organisation knows the data processing operations (including backups) of the CSP and any sub-processors;
- It will not engage another processor without the prior written authorisation of your organisation;
- Information won’t be disclosed to law enforcement unless it is expressly authorised by EU law;
- There are data portability, recovery and disposal procedures; and
- Your organisation can request the deletion or return of all personal data at the end of the provision of services.
Preparing for the GDPR
This list of requirements probably seems daunting, and the timing of the guidance isn’t exactly ideal. Those responsible for data protection in your organisation will almost certainly be preoccupied with the many longstanding requirements of the GDPR.
The best way to avoid mistakes is to ensure that everyone in your organisation who handles personal data is aware of the GDPR and its requirements. The more people who know what the organisation should be doing, the more likely it is that someone will spot a problem in your processes or systems.
To get started, you should consider enrolling any relevant employees on our Certified GDPR Foundation Training Course.
This one-day course is the perfect introduction to the GDPR. It’s delivered by an experienced data protection practitioner, who will teach you:
- The terms and definitions used in the GDPR;
- The six data protection principles;
- The rights of data subjects;
- How to secure personal data;
- The concept of data protection by design; and
- How to report data breaches.