Expert Q&A: GDPR and Cloud computing

In January, IT Governance partnered with the Cloud security software provider Skyhigh Networks to deliver a 45-minute webinar on ‘Privacy and the GDPR: How Cloud computing could be your failing’ followed by a 15-minute Q&A session in which our GDPR expert, Adrian Ross, and Highsky Network’s European spokesman, Nigel Hawthorn, answered your questions about Cloud computing and GDPR compliance.

The webinar was designed to equip individuals involved in GDPR compliance, and organisations that store data in the Cloud, with an understanding of the GDPR’s requirements.

It provided an overview of the GDPR, the breach notification requirements, the responsibilities businesses have when storing data in the Cloud, and the roles of controller and processor. Despite covering all this ground, many of you still had questions about the GDPR compliance requirements for businesses that store data in the Cloud.

In this Q&A blog post, Adrian Ross and Nigel Hawthorn answer some of the questions delegates asked during the webinar in order to shed light on the key GPDR compliance requirements for organisations that store data in the Cloud.

Concerning the right to be forgotten, how practically will this be applied? Will this be applied to legacy backup systems which will be almost impossible to regress?

As other regulations demand that such data be kept, this may seem like a conflict with the right to be forgotten. However, the Information Commissioner’s Office (ICO) has stated that it will be reasonable when reviewing procedures and we expect that removing data from front-end systems will be enough to be considered compliant, provided you have documented the process and any holes, such as how to keep track if a backup needs to be brought back into production.

I work as an integrated governance manager within the [company name].  I have a responsibility for information governance within the organisation and for reporting/dealing with breaches. Would the foundation and practitioner course be suitable for me? We are considered to be the data processor with the DH as the data controller. We use the Cloud via PA.

Yes, both our Foundation and Practitioner courses would support your role in the organisation. Personally, I would recommend the classroom courses as we have found that interaction with other delegates and their experiences benefit the group as a whole.

There may, of course, be specific standards that are applicable to your industry, and we can help you identify these either as part of the course or offline. As I mentioned during the webinar, in relation to the Cloud aspects of the GDPR we are seeing an increased demand for ISO 27018.

The other important point is that data processors fall under the scope of the GDPR.

Do we know whether or not there is a requirement for a processor to have a DPO or is this a requirement purely for controllers?

Under the GDPR it is mandatory for certain controllers and processors to assign a DPO. This applies to all public authorities and bodies, irrespective of the data they process, and organisations that “as a core activity – monitor individuals systematically and on a large scale, or that process special categories of personal data on a large scale”. There are guidelines and FAQ on DPOs here. The good news is that not everyone needs one!

A question on the fines. Does the ICO receive the actual monies?

The fines extracted by the ICO currently go to the UK parliament in the same way as general taxation – I believe that will stay the same.

SaaS providers, such as Salesforce, that can access customers’ data without storing it in the Cloud often rely on various forms of caching techniques. In the case of caching PII, and the possibility of that Cloud provider mirroring its data to another site globally, what should the customer look for to avoid risking non-compliance with not meeting data protection by design, non-EEA storage, retention, etc.?

Your SaaS provider should acknowledge that it understands its responsibilities under the GDPR – make sure that you get a statement of this in your contract. Data can be moved outside the EEA if contracts are considered satisfactory – see the EU’s model contracts for examples.

As I understand the GDPR, it is not prescriptive in terms of the security controls that need to be in place but can it be assumed that those in ISO 27001 and ISO 27018 would be “adequate”?

Implementation of these control sets is a good indicator that the organisation is taking its responsibilities seriously but, on their own, these controls do not adequately cover every clause. As an example, the GDPR discusses user consent (opt in, clarity of terms, etc.), which is not part of either ISO 27001 or ISO 27018.

Will the legitimate interest condition allow companies to continue processing soft opt-in data collected pre-GDPR without having to reconfirm consent?

I recommend trying to contact all of those on your databases to allow them to opt in or out before the deadline. If you wish to continue processing data collected before the deadline, this should be noted in your policies.

Why are there two different fines – €10m or 2% of annual global revenue and €20m or 4% of annual global revenue?

The level of fine depends on the type of breach. It’s worth nothing that these are maximum-level fines. If you look at the ICO website, its maximum fine is £500,000, but no company has ever been fined that amount. Fines are dependent on the data loss and the systems and technology you have in place.

How do we notify customers whose data we currently hold? And what if a customer off the street provides false information about a customer we hold… how do we control this?          

You can communicate with data subjects however you like, but we recommend that you record how you do this. There are 16 months to do this before the GDPR applies, which is ample time to put together a communication plan.

If one customer enters false information into your system about another customer, it is still your responsibility to make sure your data is accurate.

What do you do if you don’t have the required technical controls to delete data?

Sorry, you need to implement those controls – you have a year to make it happen. Don’t forget to review your subcontractors and Cloud providers.

Are there any additional obligations on data processors that are storing data passed to them from the controller on the Cloud once the GDPR comes into effect?

Yes – data processors are not currently covered by the UK’s 1998 Data Protection Act (there are similar acts across the EU), but the GDPR makes them jointly liable with the data controller.

If I instruct the DVLA not to supply my PII to companies like parking companies, etc., do they have to comply?

I doubt it – though it will be interesting to see if anyone challenges this in the courts. The text referring to criminal offences says: “The protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and the free movement of such data, is the subject of a specific Union legal act. This Regulation should not, therefore, apply to processing activities for those purposes.”

So, for instance, in Germany they consider an employee’s work email and telephone numbers to be PII, which I don’t believe is the case here in the UK. From 25/05… how are global companies with staff in Germany as well as the UK going to proceed best to ensure we are abiding with the new law? Are we to apply the strongest approach?

Any data that can be used to identify an individual is considered to be PII. Some in the UK did try to make an exception for work-related data, but this was overruled some years ago.

There is a lot in the GDPR aimed at the regulators themselves, attempting to harmonise the ways that they act when a case is brought to them. We recommend that you assume that the strictest interpretation of the law will be enacted across all of the EU.

Just to clarify, I believe we need to distinguish between citizens and residents. I believe the GDPR applies to processors of any EU citizen, regardless of their residence status. So in the case of a New Zealand health organisation holding PHI on EU citizens it will apply?

The GDPR refers to “data subjects who are in the Union”. I take this to mean that citizenship is not relevant but that residency is. So, in your case, the GDPR should not apply until and unless the data subject returns to the EU.

If an EU organisation is handling the customer data outside EU, will the GDPR still apply?

Yes, if the data is of a resident of the EU or EEA, the GDPR applies no matter where in the world the data resides.

Will consent questions be necessary on website contact forms where a person/company is simply requesting further info or a call back?

Yes. If you are collecting the data of EU residents then you need to tell them what you are collecting and why, especially if you want to share this information outside the EU. You need to obtain consent that is clear, unambiguous and not based on the hidden small print of terms and conditions. You also cannot restrict access to a service based on whether someone gives you their data (this is an interesting challenge for marketing).

Does the right to access vary from the existing subject access request?

Yes – the rights of data subjects have been strengthened and data controllers need to have a process in place to ensure they comply. There’s a lot in the GDPR on subject access requests – see Article 15 to Article 20. 

To register for the next webinars in the GDPR series, please click here >>

Did you miss our previous webinars? Don’t worry! You can download the presentation slides and watch the webinar recordings here >>

You may also be interested in IT Governance’s GDPR products and services designed to help you achieve GDPR compliance:

 

Leave a Reply

Your email address will not be published. Required fields are marked *