According to a report from Gartner, it is predicted that the worldwide public cloud services market will grow by 18% in 2017. And while there is no doubt that public cloud offers businesses a range of different benefits, with legislation such as the General Data Protection Regulation (GDPR) on the horizon the question many organisations should be asking is, ‘am I GDPR compliant in the cloud?’
It can be a daunting task to establish whether a cloud supplier is compliant with GDPR, but there are a few good indicators that businesses should look out for.
Know the location of your data
When assessing GDPR compliance it is important to understand that the cloud providers’ stance on data privacy will to some degree, be dependent on their location. GDPR states that regardless of the location of the stored data, if an organisation holds or processes information from EU citizens, it must comply with GDPR. This means personal data stored outside the EU must be offered ‘adequate’ protections in comparison with EU law.
>See also: The untold implications of GDPR
Importantly, even if a non-EU provider claims to be compliant, if the country where the data resides has not been given ‘adequacy’ status by the EU, you will not be able to use them and remain compliant.
For many organisations, these services may reside in the US, where the Privacy Shield was introduced to provide the level of adequacy required. Certification is often brought into question though, as many commentators say that self-certification provides few guarantees.
This has forced many US providers to seek third party endorsement to ensure these standards are met. While it can be difficult to find out how reliable self-certification is, the service providers who have opted to go with 3rd party verification are more likely to be transparent about how GDPR regulations are being met.
It is clear that this is a complicated legal issue, and getting good legal advice on the level of data protection in the countries where your data is stored is vital.
What to look for in a compliant cloud provider
It is important to recognise that if your cloud/service provider is not meeting GDPR, then neither is your business. Though it is possible for some providers to be assessed for GDPR compliance by a third-party, there is currently no official assessment that comes from the European Commission (EC). While a third-party assessment is a good sign, it provides no guarantee that these regulations are being met.
With this in mind, organisations should look for suppliers that exhibit hallmarks of good data protection standards. This includes – but is in no way limited to – the amount of staff that are certified (having passed an ISO 17024 accredited exam) or if the provider is a member of an industry body or signed up to a code of conduct, such as the Cloud Infrastructure Services Providers of Europe (CISPE).
Ultimately, if a supplier will not provide sufficient evidence or detailed plans for ensuring compliance then it may be a good decision for your organisation to look elsewhere for your cloud needs.
Who is protecting the data?
Due to the fact that GDPR is a people, process and technology challenge, don’t be fooled into thinking there is a single technology solution that deals with every aspect of the legislation. As a result, the responsibility of a cloud provider will vary depending on what role they play, with SaaS providers having many more responsibilities than IaaS, for example. This is especially the case with security and if the cloud provider is classed as the Data Processor, or as the Data Controller, as defined by GDPR.
While many big cloud suppliers invest heavily in security measures, if data is compromised it can still be difficult to ascertain who is at fault – the customer or the cloud provider. With fines of up to €20 million or 4% of global turnover at risk, it is important your business does everything in its power to ensure that both your company and your cloud provider are keeping data secure. Only then will you have the best chance of staying properly protected and compliant.
When it comes to the GDPR, using a cloud service does not absolve you from responsibilities regarding personal data. Indeed, the adage ‘your data, your responsibility’ still holds true. For IaaS, you are sharing some of the security responsibility, which goes on a sliding scale of increasing responsibility to the provider through PaaS and SaaS. Ultimately though, what you do with personal data is your call, so it’s up to your business to do the groundwork on GDPR compliance, even if you do pay to get some expert help.
Sourced by Nigel Tozer, solutions marketing director for EMEA at Commvault