We live in increasingly digital times, and citizens expect their on-line activities to be conducted from wherever they happen to be – using their smartphones or tablets. Very few spare a thought for how that is even possible, which will almost certainly involve the use of cloud services, and which in reality, will probably be being delivered by organisations they have never heard of in locations unknown. There is a high degree of “blind trust” that the citizen data will be safely handled by these cloud services.
Of course, that’s the most likely citizen perspective (if they care at all). For those organisations looking to take the traditional manual, paper-based services into the cybersphere, carefully selecting a credible cloud service provider becomes an important consideration which will help to underpin the companies’ approach to security and privacy of personal data. With the European Union, General Data Protection Regulation (EU GDPR) arriving in May 2018, choosing the right cloud service provider could greatly help (or indeed hinder) an organisation’s GDPR compliance levels.
Data privacy is underwritten by information security, which extends to the technical, operational and personnel controls which deliver the physical cloud infrastructure itself. To avoid data breaches, unauthorised access or damaging virus or malware attacks, potential cloud service providers should readily be able to demonstrate their capabilities, and the customers should ensure they are in a position to understand their responses. It should be expected that the more comprehensive the provision and the better the level of service then the higher the price, but that’s a consideration against the reduced risks of financial penalties arising from a data breach taking place.
[easy-tweet tweet=”As a data processor, citizens need to understand where their data is.” hashtags=”Data, Cloud”]
Cloud service providers should be transparent about where their hosting and support facilities are located. As a data processor, citizens need to understand where their data is, and the legal framework which applies to those locations. While the European Union is harmonising under GDPR, different rules apply within the United States and other non-European nations. Advice should be sought to understand the prevailing legislation, or whether an alternative commercial approach is sufficient to protect the personal data that would be processed within the cloud service.
There’s also need to rely upon the co-operation of a chosen cloud service provider to ensure that the increased range of subject rights which arrive with GDPR can be properly actioned within (in most cases) 30 days of receipt. Subject access requests, the correction of inaccurate data, or the request to erase personal data, to name a few, will require clear and efficient co-ordination between the customer and their cloud service provider, and technically complex infrastructure must be able to support such requests. Consideration also needs to be given to any back-up, archived or declared sub-processor involvement in data processing.
There’s a lot to think about when selecting a cloud service provider, but on the other hand a properly justified procurement decision will undoubtedly deliver benefits to the customer. The scale and resilience of most cloud providers, combined with the monitoring, maintenance (e.g. patching) and physical protection of their assets will be greater than most standalone customers can deliver, and activities such as these are crucial to preventing and detecting many forms of data loss, theft or compromise. It should be expected that the focused competences of suppliers cloud analysts and engineers, normally on a 24×7 basis, will again provide protection and tighter SLA commitments than the customer could ever manage.
Third-party cloud services will need appropriate time and resources from the customer to ensure that they are selected and managed effectively. Customers will need to understand and disclose the nature of any external data processors such as cloud service providers within privacy notices and Data Protection Impact Assessments (DPIA), such that citizens can make an informed decision about whether they are content to have their data processed in the manner prescribed. Article 35 of GDPR mandated “privacy by design”, and as such, all data processing activities need to be designed and implemented with privacy-related activities as the main focus.
The preparation of a well-structured DPIA (such as those provided by the utopian solution from InfoSaaS) will by necessity need to involve engagement with any contracted cloud service provider, recognising that the customer (as data controller) and their data processors need to closely work together to ensure that personal data is maintained securely, the obligations of GDPR can be properly met, and the rights of citizens as data subjects can be delivered within the required timeframe. Customers are advised to identify the “Data Protection Officer” within the cloud service provider, as this individual plays an essential role in communicating the requirements of GDPR internally and ensuring that the implementation of data protection activities is effective.
Selected carefully and managed closely, cloud services can greatly assist organisations achieve compliance with GDPR. About potential fines of up to €20m (£17m) or 4% of global annual turnover for data breaches under GDPR, choosing wisely is a small price to pay.
Andrew Beverley is the CTO of InfoSaaS that provides a collaborative solution to the implementation and management of ISO27001 systems. It has recently launched several effective GDPR solutions, which are already helping business of all sizes, from the self-employed, through SMEs to large corporate. To undertake an initial, high-level assessment of how “GDPReady” you are, or progress to start preparing your GDPR compliance evidence using the Data Protection Impact Assessment solution click on UtopiaR.