The new EU General Data Protection Regulation (GDPR) will take effect on May 25th 2018. As a result, companies of all sizes must review the changes issued by the GDPR and identify the organisational and technical implications specific to them. With less than a month before the imposed deadline, many companies are still not considered “GDPR-ready” as they scramble to implement the right IT security and privacy policies. Cloud computing and an increased level of data protection should go hand in hand. Aside from some early jitters, the new regulatory challenges could potentially open up new opportunities for cloud providers and cloud users alike.
TLDR? Skip to the six key criteria…
Data protection and data security are increasingly coming under the spotlight in the course of digitization and are regarded as a key qualification in successfully pursuing the path of digital transformation.
The background and objective of the GDPR is harmonization between the EU member countries, so that a uniform data protection law is valid for the EU zone and at the same time the legal position of those concerned is improved. Here are some of the most important changes in the light of GDPR:
- Fines for breaches are significantly increased – up to 2 or 4 percent of annual revenue, depending on the gravity of the breach.
- The rights of the individuals affected are significantly strengthened by the transparency and information requirements.
- In addition to the well-known obligations regarding data protection, new obligations are introduced, for example for the privacy-friendly default setting of electronic devices.
- The new regulation also applies to companies that are not based in the EU but collect data from EU citizens.
Corporate decision-makers and security experts are now asking themselves what new regulations have been introduced by the GDPR and how they should prepare and conduct the implementation of the GDPR. In addition, the question of “GDPR-readiness” resonates with Chief Information Security Officers (CISOs).
A large number of business decision-makers will think that this is “yet another new regulation from Brussels that nobody will ever notice”. However, the GDPR has good reasons to be taken into account. First and foremost, the rights of all concerned are strengthened. This can lead to significant financial sanctions when it comes to data breaches in the future affecting EU citizens.
In addition to a potential material damage, a potential damage to corporate reputation is also of great significance. Media outlets are out to publicize privacy issues – a warning shot for all companies that have yet to put the bear of expertise needed to comply with the new requirements. This is because with the entry into force of the GDPR in May 2018, the fines will be increased drastically. With fines of up to € 20 million or up to 4% of the annual turnover, the GDPR topic has received attention at management level for companies of all sizes.
GDPR in the context of cloud computing
The new regulations regarding data protection” are both a challenge and an opportunity. A key indicator for “GDPR readiness” is the data protection mindset within companies and the level of data protection provided, which means what, where and how business-critical workloads operate on cloud infrastructures.
For many companies, the GDPR is a complex project. Legal, technical and organizational challenges brought about by the GDPR have so far only partially been reconciled. Particularly in the case of large migration projects in the cloud computing environment, in the IoT environment or in big data scenarios, day-to-day business leaves little time to worry about the implementation of the GDPR. However, in addition to numerous implementation challenges, the GDPR also offers the opportunity to excel by redefining and implementing new data protection and IT security strategies, especially in the context of cloud computing.
As a result, the topic of cloud computing raises many questions in the context of the GDPR. In technical terms, cloud computing is a data processing contract. Hence, the cloud user should be fully aware of the way their data is processed at all times. Cloud providers and resource providers only support their functions and are dependent on the legal requirements of the responsible authority. In other words, both cloud providers and businesses must meet the minimum legal requirements for each cloud service under the GDPR.
How to take advantage of the potential challenges behind the GDPR? There are two main questions. On the one hand, companies need to know which cloud providers they can trust. On the other hand, companies need to know which technical and organizational measures they must take in order to be “GDPR-compliant”.
Opportunities and obligations for CISOs – the right cloud partner
The right cloud partner can be a valuable sparring partner in the light of GDPR, since with their expertise in compliance and security they can help your company become “GDPR-ready”.
If you apply a multi-cloud strategy, you need to assess the data protection policies of each cloud provider. Hybrid and multi-cloud approaches are much more complex to coordinate and therefore may present a higher data protection risk. The multitude of different cloud providers, especially in the public cloud environment, makes it difficult for CISOs to ensure GDPR compliance. GDPR compliance is only as strong as the weakest link. For example, a breach or non-compliance by a single cloud provider within a multi-cloud deployment can undermine all efforts for a successful GDPR compliance.
Six Key Criteria
Here is a quick set of criteria you can use to evaluate your potential or existing cloud partners in terms of GDPR compliance:
A first necessary step is to assess to what extent the provider is able to comply with your IT security requirements. One easy way cloud providers can demonstrate compliance with security and “Privacy by Design” is by being ISO 27001 or ISO 27018 certified. If not, they can demonstrate it via a performed data protection impact assessment (DPIA) and/or a security assessment.
CloudSigma is ISO 27001 certified, ensuring that all aspects of our infrastructure and services used to deliver and manage your cloud conform to the highest ISO certification standard in relation to security and data privacy.
Companies that work with a wide range of critical data must provide sufficient guarantees (in accordance with Article 28 of the GDPR Regulation) that the data controller uses “only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.” Hence, you need to make sure that your cloud provider is conducting regular audits for the review, scoring and evaluation of technical and organizational measures to guarantee the security of processing. In addition, you need to make sure that the cloud partner grants the right to audit to their customers.
As a customer of any CloudSigma cloud platform, you are officially entitled to perform security, operations and processes auditing in relation to the services that we provide to you.
Knowing the location where your data is being stored and processed is important. Yet, not all cloud partners provide you with the necessary transparency related to the cloud locations. Note that the cloud provider’s headquarters might not necessarily be the location where your data is hosted. In addition, your data may be moved between different cloud locations in the background, without letting you know. This may be part of the Terms of Service of the cloud partner. Last but not least, cloud service providers may store data within multiple location and some of these may be outside the EEA. As a Data Controller you need to define a multi-country cloud strategy to adhere to adequacy requirements as well as data localization laws.
As part of our Terms of Service, CloudSigma is structured to legally separate cloud locations by country. As a result, each location is subject to the local legal framework only, offering a 100% local cloud solution for end customers.
Locations are also not technically interconnected and CloudSigma ensures highest transparency regarding the exact data location which will never be transferred between cloud locations.
The GDPR requires a slew of data protection safeguards, from encryption at rest and in transit to access controls to data pseudonymization and anonymization. In order to achieve this, the easiest way is to choose a cloud partner that has enough security features to choose from such as backup, encryption, access control policies and others. If your cloud partner does not have such policy, you need to take care of the security features yourself.
CloudSigma endeavours to deliver a high degree of security and privacy for customers with a selection of features and tools allowing them to secure the various aspects of their computing. On our blog customers can find a number of articles describing the different security features such as boot level encryption, access control policies, two-step verification, SSH keys and others.
As a customer of a cloud provider you are the Data Controller which means you must maintain control and ownership of your own data. This can be achieved by signing a Data Processing Agreement with your cloud partner to guarantee that the partner is adhering to the data privacy protection requirements as per the GDPR. You can either draft your own, or check if your cloud partner has created a DPA as a standard part of the Terms of Service. The advantage of using your own is that you can specify the type of personal data and “special” data collected. No matter if you use your partner’s DPA or your own, make sure that the terms state clearly that the Data Controller (i.e. you) owns the data and that the Data Processor (i.e. the cloud partner) will not share the data with third parties.
Customers retain full sole access at the file system level to their data, the CloudSigma system does not have access or visibility inside VMs or drives. The CloudSigma cloud management system implements an access control framework limiting employee rights and access as well as logging actions undertaken on the system.
You need to make sure that once your contract with the cloud partner has ended, you can download/erase the data and also that the cloud partner will delete the data once you’ve terminated the service. Some cloud providers, especially when they are ISO-certified, have defined a standardized policy for deleting data after contract expiration. Try to find out how long it takes for the cloud provider to delete your data.
At CloudSigma all customer data is handled automatically by our system, this includes drive deletion, scheduled deletion (for deprecated accounts) etc.
CloudSigma takes no copies of client drive data, the sole copy resides in our cloud unless the customer chooses to clone the drive to another storage system or location.
In addition, as part of our Data Processing Agreement, you may require correction, deletion, blocking and/or making available of your data during or after termination of your service usage.
So how much is your own company “GDPR-ready” today?
Please feel free to contact us at dpo (at) cloudsigma.com for further information on CloudSigma and the GDPR.
- GDPR and Cloud Computing – Challenges and Opportunities - May 17, 2018
- Customer Auditing of CloudSigma - May 11, 2018
- CloudSigma How To Series: Satellite Data Repository - March 28, 2018
- CloudSigma Partners with BOS Technologies to Offer Powerful Satellite Services - March 19, 2018
- How Cost Optimization with the Cloud Impacts Services and Application Architecture - January 23, 2018