The GDPR: How to perform due diligence of Cloud service providers

One overlooked aspect of the GDPR (General Data Protection Regulation) is that it’s now much harder for organisations to pass the blame when a third party suffers a data breach.

Data controllers – the organisations that dictate what information is processed – must give instructions for how data processors – the service providers – handle personal information.

Unless the third party has explicitly failed to meet one of the requirements, both organisations will be subject to disciplinary action should a data breach occur.

This is something organisations should pay particularly close attention to when seeking out Cloud service providers. Because they store information online, it only takes one misconfigured database or phishing email to compromise your systems.

So what should you do to manage those risks?

Know where your data is stored

Although Cloud storage enables organisations to access data remotely, the information is nonetheless kept in a physical location – the server of the Cloud service provider – and is therefore subject to the GDPR’s data transfer requirements.

That means you must check where your Cloud service provider’s servers are located before uploading personal data. If they are outside the EEA (European Economic Area), you’ll need to seek one of the approved data transfer methods outlined in Articles 44–50 of the GDPR.

Adequacy decisions are the simplest method, applying whenever personal data is transferred to a country that the European Commission deems has a sufficient level of data protection.

You can find a list of countries currently deemed adequate here.

If that basis doesn’t apply, you should use either BCRs (binding corporate rules) or SCCs (standard contractual clauses).

The former is suitable for multinationals transferring large volumes of personal data between companies, whereas the latter applies to organisations sharing data with third parties.

Strengthen your security measures

Whichever method you use for transferring personal data, you must implement measures to reduce the risk of data theft, loss or misuse.

This might include encryption, anonymisation or pseudonymisation. By far the most important measure you can take, though, is to password protect any folders that you upload.

Doing so ensures that you have an added layer of defence in the event that your databases are leaked online.

Make sure information is handled responsibly

It’s one thing to implement policies and processes dictating how to secure personal information in the Cloud, but it’s much harder to make sure employees are following them.

This is a particular threat within your organisation, because many people mistakenly believe that storing information in the Cloud makes it immune from cyber attacks.

The reality is that remote storage is simply a way of moving the data to another location – one that’s equally susceptible to data breaches – and sharing the responsibility for its security with the Cloud service provider.

It’s paramount that you teach this to your staff to prevent them from being lax with data stored on the Cloud. Many staff awareness courses address Cloud storage directly, and if you don’t already address it, you must make appropriate changes.

But it’s not just your own employees you need to worry about. Mistakes made by the third party will have repercussions for you, even if you did all you could to protect your data.

You’ll no doubt have contracts agreeing on what the Cloud servicer provider must do to protect your information. This will help you avoid disciplinary action in the event of a breach, but it won’t necessarily protect you from reputational damage.

Many customers will see only that you’ve been breached and won’t look into or understand the full details.

It’s therefore paramount that you only use a Cloud service provider if you’re confident that they’ll follow your instructions for protecting personal data. But how can you be sure?

Paul Ticher’s Data Protection and the Cloud – Are you really managing the risks? provides the answers you need.

With a focus on the security risks of remote storage and how to mitigate them, as well as the ways organisations can lawfully transfer data outside the EU, this book is ideal for anyone who wants a comprehensive insight into how to manage their relationship with Cloud service providers.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.