For a while now, talk amongst the information technology community has been rife with conversation about the upcoming EU General Data Protection Regulation (GPDR). The legislation is to be finalised this year and will be effective from May 2018. The following article discusses how the GDPR will affect cloud hosting for both providers and users.
What the new regulation means for cloud providers
The GDPR will help both native and US-based cloud hosting firms and providers find business across Europe. When the new regulation comes into play, providers will be on equal footing with users and data controllers regarding rule violations and data breaches. For this reason, it is essential that the provider community is aware of all new obligations going forward.
These obligations include reporting breaches to the authorities within a 72-hour turnaround. As they often don’t have a direct relationship with users, providers will need an efficient incident-response management program to enable them to identify breaches and inform their users.
The GDPR will hold providers and users equally liable for data breaches, so it’s important that a contract is in place between both parties in order to address breach notification requirements.
Providers will also have a responsibility to assist users with security measures to ensure successful data protection.
Existing legislation
It’s worth noting that much of what is required by the cloud and data provider community is already covered by existing legislation, i.e. ISO 27001. This means that anyone certified by the ISO standard will spend most of their preparation reviewing what the provider is currently doing.
If a provider doesn’t have the ISO 27001 standard, the GDPR will have big ramifications for how users run their cloud hosting businesses.
The ‘right to be forgotten’
The updated version of the legislation will expand on the ‘right to be forgotten’, to apply to non-European companies processing the data of EU citizens, no matter where their services are located. The problem is, information can easily be copied or redistributed elsewhere, making it difficult to erase.
However, duplicated data can be avoided if systems are designed with deletion in mind. For example, companies can collect more meta data around the information they hold, as this makes it easier to find where the data is sorted and therefore easier to delete. It is essential that fool-proof systems are in place to confirm that data has been entirely erased.
Factors cloud users need to be aware of
The average European enterprise uses a total of 608 cloud apps. This may seem like a large amount, however, the usage of cloud apps has increased over time with many companies underestimating the number used by around 90%. This begs into question how organisations using cloud hosting services can successfully comply with the GDPR if they don’t know how many apps people have access to.
There are several important factors that cloud users need to consider in relation to the GDPR when serving to European customers:
- Where are the apps storing and processing data?
This information can be obtained by finding out which cloud apps are being used within a company and discovering where the data is being hosted. It’s also important to remember that data can be moved around between an app’s different data centres.
- Data processing agreement
Once a user knows which apps are being used in their organisation, they should close a data processing agreement with the apps to make sure they follow the GDPR’s data privacy protection requirements. In this agreement, it’s important to specify that the app should only collect the personal data necessary for the cloud to function. There should be limits on the ‘special’ data (information revealing religion, race, political persuasion etc.) collected.
- Protecting personal data
It is crucial for users to have good security measures in place to protect personal data against alteration, loss and unofficial processing. Apps that don’t meet the company’s standards of security must be blocked.
- Terms and conditions
All cloud apps should clearly state in their terms and conditions that the data is owned by the customer and will not be shared with third parties.
The terms should also specify that users can immediately download their own data and that the data will be erased when the app is deleted.
Will cloud hosting cost more with the GDPR?
Once the GDPR has taken effect, the cost of cloud hosting will increase to account for the additional administration necessary to deal with the regulations for each customer deployment. But the cost increase is a far better alternative to a €100m fine, or 5% of the company’s annual global turnover for anyone who doesn’t comply.
Pitfalls and consequences
The rules of the GDPR don’t come without consequences and one possible pitfall is that the regulation assumes there are only processors and controllers within a cloud ecosystem. In reality, there are many groups of companies buying into cloud services, often through Cloud Solution Provider (CSP) resellers, with hosting facilities and operations subcontracted worldwide.
There is also concern that small companies and providers might not have the resources to operate in compliance with the GDPR and therefore choose not to.
That said, the uncertainty of the new rules combined with the consequences for those who don’t comply with the regulation is likely to draw more attention to the data protection clauses in cloud service contracts.