Challenges of GDPR for cloud service providers

The European Union General Data Protection Regulation (GDPR) introduces measures to ensure security of personal data, specifying how organisations should manage data from their employees, customers and partners. These regulations apply to individuals living in the Economic European Area (EEA).

Personal data is considered any information that can directly or indirectly identify an individual, whether it relates to their private, professional or public life. It can be a name, a photo, an email address, an individual’s bank details, medical information, work performance details, purchases, tax numbers, education or competencies, location, usernames or computer IP addresses, and so on.

These regulations go into effect on May 25, 2018 throughout Europe and will impact the way cloud service providers (CSPs) and other organisations manage personal data. CSPs will need to understand and comply with these regulations, and organisations choosing a CSP should make sure any vendors under consideration are in compliance with these regulations.

CSPs will need to adapt and amend their services, contracts and background processes to address the new requirements under the GDPR. If they don’t, the consequences are costly. Lack of compliance with this regulation can reflect in fines that go up to €20 million or 4 per cent of global turnover, whichever is higher.

The regulations apply regardless of where the personal data is kept - whether on paper or on servers in the cloud. However, the cloud poses a number of specific compliance challenges.

Controllers and processors

It’s important to understand everyone’s role in GDPR compliance. The GDPR expands the scope of data security regulations. Previously, regulations only applied to the “controller,” meaning the person or organisation that determines the purpose and means of processing personal data. For example, a business would be the controller for its customer and employee data.

However, the GDPR extends the compliance responsibility to the “processor” of the data, such as a CSP. The GDPR requires processors to develop and implement a number of internal procedures and practices to protect personal data. Most of those procedures and practices are related to information security management, so those who follow international standards like ISO 27001 or SOC2 are the ones most prepared for the GDPR challenges. Also, the processor must ensure that any subcontractors follow the requirements.

Data location 

The GDPR requires that controllers and processors know where the personal data is located for storage and processing. This restricts the ability to transfer personal data to third countries or international organisations outside the EEA. CSPs may have or use servers outside the EEA, but the transfer of personal data must comply with GDPR data transfer principles. For example, a vendor’s cloud could be supported on Amazon Web Services (AWS), which would enable customer data to be stored in Europe therefore complying with GDPR. Data transfer is easier if organisations select a CSP with infrastructures located in multiple regions.

Businesses, as the controllers, must assess whether the security measures of their CSP, the processor, meet the security requirements by conducting periodic audits. The same applies to a processor using a sub-processor. Each International Security Standard has its own security program as part of the certification process. This means that periodically controls in place are evaluated as well as their maturity level in terms of compliance. As an example, ISO 27001 Annex A specifies 114 security controls that are required to adopt and any exclusions of adoption must be justified.

Rights of individuals and cloud contracts 

The GDPR extends specific rights to individuals regarding the use of their personal data. These include processes around the transfer of data and when to erase data. Even though these responsibilities are assigned to the controller, it will fall on the processors to adapt infrastructure or services to accommodate this. For example, choices about shared or dedicated databases must be considered in accordance with the nature of the data schema.

The GDPR is prescriptive about the contents of the contracts established between controllers and processors, and sets out many stipulations, including when to process personal data. As people become far more security-conscious about their personal data, there will be more regulations like GDPR. The best approach is to stay ahead of the regulations by launching security initiatives and staying up to date with the latest security certifications. By adopting international standards in information security management companies are much more prepared to handle new requirements. In most situations it just requires a few changes to include or implement in a different way.

Data centre providers

Data centre providers are also an important piece in the GDPR compliance chain that can’t be overlooked. They have the ownership of the physical assets where information is stored. In that sense, they are considered processors and are required to manage at least personal data related to physical access control like biometrics, video surveillance, their own employees and subcontractor information. 

Related to Personal Identifiable Information (PII), GDPR compliance has some challenges that should be addressed by data centre managers. For starters, they should create, implement and manage data retention policies compatible with customers’ specific needs and local legislation. They should also update processes and technology to cover the right to forget and data portability requirements.

The GDPR deadline is fast approaching and organisations are running out of time. It’s essential that everyone understands these regulations and takes responsibility for the data they come in contact with - whether they are controllers or processors. Organisations must take the time to assess that their CSPs are compliant with GDPR before the deadline. While CSPs may have a lot of changes to make in a short period of time, these changes will ultimately improve data security, which is vital in today’s volatile cybersecurity landscape.

José Casinha, Chief Information Security Officer, OutSystems
Image source: Shutterstock/Wright Studio