What’s GDPR and How Does it Impact Cloud Services?
While the May 25th, 2018, deadline for the EU’s General Data Protection Regulation (GDPR), has come and gone, the implications of the new set of rules will continue to unfold for years to come. The GDRP framework is intended to deliver critical protections and greater corporate accountability when it comes to securing customer data. Many industry analysts feel it represents a significant step towards improving protections in our increasingly data-driven world. The directive also provides certain rights and freedoms to EU residents around how companies process and use personal data. The GDPR applies to organizations located in the EU, as well as all companies processing or storing personal data from customers residing in the EU, regardless of the company’s location. (Source: EU GDPR). While most companies have documented policies to keep sensitive customer data safe, experts believe critical gaps remain. Colorado-based solution provider InteliSecure recently conducted a survey of its clients and found that 70% to 85% are GDPR- compliant. However, the most common GDPR-gaps have to do with consent requests, complying with the ‘Right to be Forgotten,’ and providing proper communication about how customer data will be used or processed. (Source: CRN).
For companies that rely on cloud service providers to either store or process customer data − which could include everything from hosting CRM applications like Salesforce in the cloud − new data privacy laws represent a set of unique challenges. Enterprises that rely on cloud services need assurances that their privacy policies and commitments are followed down the chain by their cloud providers. Let’s look at some of the most important ways data privacy regulations like GDPR can affect agreements between enterprises and service providers.
Make sure cloud providers have built-in, written policies in place – The best way for enterprises to safeguard customer data and to protect the business, is to work with cloud providers that have privacy rights already ‘built-in’ into their service agreements. Cloud service providers are referred to in GDPR rules as ‘data processors’ and enterprises using those services as ‘data controllers.’ GDPR rules state that data security is a joint responsibility of both parties. However, understanding where some responsibilities start and others stop is far from simple. For instance, the rules state that ‘controllers,’ work only with ‘processors’ that provide ‘sufficient guarantees to implement appropriate technical and organizational measures in such a way that processing will meet the requirements of the GDPR and ensure the rights of the data subject.’ Cloud services should address the access, rectification, and rights of users in their policies. Companies should look to cloud providers to have documented policies and to be customer advocates and equal partners in maintaining data security, compliance, and data breach risk mitigation.
Look at how (and for how long) cloud providers retain data – One of the biggest issues tackled by GDPR, is rules related to how long customer data can be stored. GDPR Article 17, also known as the ‘Right to be Forgotten,’ rule ensures individuals have the right to have personal data erased and to prevent processing in specific circumstances. Going much further than previous data security rules, GDPR also prohibits enterprises from requiring ‘forced consent.’ In other words, bundling their services with the requirement of consent to use personal data. While this seems straightforward, the nature of cloud computing is tricky in that customer data can be stored in multiple locations, under multiple jurisdictions, and by multiple cloud providers. For instance, it’s common for enterprises to leverage multiple cloud platforms like Amazon Web Services (AWS) and Google Cloud. When data is in multiple places, it’s subject to different retention jurisdictions, which adds additional challenges in terms of data orchestration and management according to privacy rules.
The same is true for data backup and disaster recovery plans which often strategically keep data records in multiple disparate locations for a specified amount of time. Consultancy firm Deloitte recommends that enterprises ask all of their cloud service providers about how their policies fall in line with data retention rules and how they manage and ensure multiple cloud instances and backup policies are in accordance with localized data retention regulations (Source: Deloitte). Organizations should work with cloud service providers that have a data security framework in place to ensure customers can opt-in to be ‘forgotten,’ should they choose. Working with a cloud provider that makes submitting these requests straightforward, allows companies to avoid bottlenecks and to ensure they are GDPR compliant.
Search performance and ‘Right of Access’- The ability to respond quickly if a data breach occurs, or has suspected to have occurred, is also a critical component of the recent GDPR legislation. Data ‘processors’ must be able to demonstrate compliance respond quickly to EU citizen inquiries regarding their personal information (i.e. Article 15 – “Right of Access”). It’s imperative that businesses ask cloud providers if they can quickly search and retrieve information regarding customer data– regardless of how much data they have stored.
Leading enterprises are making moves today to establish greater customer data protection and to extend accountability way beyond the company’s firewall. To get there, companies will need to lean on forward-thinking cloud service providers that take their role of ‘data processor’ seriously and deliver a customer-first approach to security. If you’d like to learn more about how cloud services with built-in privacy rights can protect your business and help you to become a data privacy champion in the eyes’ of your customers, talk to Telapprise today.