By Maurice Woolf, Group General Counsel, Interoute
The General Data Protection Regulation (GDPR) is the EU’s upcoming data protection law. With less than six months until the regulation comes into effect, businesses are busy making sure that they are GDPR-compliant, but what about third-party suppliers – including cloud service providers (CSPs)?
Recent research tells us that businesses are planning to move, on average, nearly half (46%) of their infrastructure to the cloud over the next six months. Additionally, research conducted by Interoute has shown that GDPR compliance is a key consideration for 35% of European businesses when it comes to cloud infrastructure. Consequently, many organisations could find themselves exposed if their CSP isn’t up to scratch. So, what are the key areas that organisations should be focused on in the lead up to May 2018?
GDPR is new and untested, but the potential consequences for non-compliance are considerable. This has led to a knee-jerk reaction from some purchasers of cloud services. Many are seeking to outsource the data protection risk by assigning all liability for breaches onto the data processor. Although tempting, outsourcing the risk of GDPR entirely to your IT supplier can result in lengthy and complex negotiations.
Under the GDPR, both the data controller (typically the enterprise) and the data processor (often the service provider) are required to evaluate the risks inherent in the processing of personal data. Both are also required to implement measures to mitigate the risks, such as encryption. Those measures must ensure an appropriate level of security including confidentiality of personal identifiable information. They must also take into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data that needs to be protected.
To get ahead, it is critical that companies understand their data flows, ensure that all decision-makers are aware of the new regulation and know what is necessary to ensure compliance.
The real day-to-day challenges for businesses will be in understanding their data inventory and where that data flows. These challenges will be felt more in businesses that were not historically data-centric in their thinking. These businesses will have to determine where any personal data is stored and who manages that data. In addition, they will need to be aware of the privacy rules that apply.
What can be done?
GDPR requires that organisations - data controllers - should only use processors who can provide guarantees that the requirements of GDPR will be met and the rights of individuals (data subjects) will be protected.
Much of the risk around GDPR will actually stem from how organisations use the cloud. Organisations should partner with trusted providers that have stringent security controls and privacy requirements "built-in". In the absence of an official accreditation scheme, this means that organisations will need to undertake extensive due diligence to assess their cloud provider’s compliance. While third-party assessments may provide a good yardstick, it is not a guarantee of compliance. Customers should look at other factors such as relevant security accreditations, where data is stored, relationships with relevant industry bodies and codes of conduct.
A "GDPR ready" product will give confidence to customers and data subjects alike. However, it is not enough to simply be compliant at a single point in time. Cloud providers should be experienced in developing, maintaining, and continually improving the processes required for large scale activities, and must efficiently and cost-effectively implement the security and compliance regimes required of a data processor under the GDPR on an ongoing basis.
As cloud services providers must identify the technical and organisational measures that they are taking to protect their customers’ data, for example ISO 27001 security management and ISO 20000 service management across facilities and products, those service providers that have been guardians of their customers’ data for a long time (as Interoute has) are likely to be better placed to understand and address the technical and organisational challenges of trying to protect that data and be ready to react in the event of a data breach.
Not only must organisations look for CSPs that demonstrate accreditation to these standards, but they should also ask how many of the provider’s employees have secured accreditation themselves. This, along with membership and reputable participation with relevant industry bodies will provide the clearest evidence that the provider takes GDPR compliance seriously, both in the letter and the spirit of the law.
Like any compliance regime, maintaining GDPR compliance is a continuous process. A "GDPR ready" product set will give confidence to customers and data subjects alike. However companies must work with trusted advisors and partners to ensure that they are prepared to overcome the hurdles that GDPR presents for their business