Cloud Computing and the EU GDPR
The European Union (EU) General Data Protection Regulation (GDPR) is the most significant piece of data protection and privacy legislation with great impact on the IT industry. The legislation came into effect on 25th May 2018, and having just passed a half-year anniversary [at the time of publishing this article], experts say that businesses still have some way to go before they reach compliance. This is despite the fact that there had been a two-year transition period for compliance preparation in earnest, which started from the time GDPR was written into law in April 2016.
Note: If you’re interested in exploring the GDPR legislation (99 Articles of legalese document!), I highly recommend Intersoft Consulting Services AG website which does a nice job of presentation with document layout and excellent navigation . If you rather have the original document as provided by the EU Parliament, here is a PDF download (of 88 pages!).
The GDPR legislation is very complex and challenging indeed. This is the case mainly because there are more rights for individuals (whose personal data is handled), and more accountability with severe non-compliance penalties for businesses and organizations (who are handling personal data).
Note: There are certain activities exempt from the GDPR legislation, including processing covered by law enforcement and national security purposes, and processing carried out by individuals purely for personal and household activities. If in doubt, always consult your legal counsel with expert knowledge in GDPR.
Listed below are some takeaways of key points of the GDPR legislation relevant to this discussion:
- GDPR applies to all businesses and organizations that offer goods and/or services to citizens in the EU. This implies that GDPR’s reach is not limited to the EU, but beyond and possibly worldwide, if businesses and organizations offering goods and/or services to EU citizens are located outside of the EU.
- GDPR places stringent conditions on personal data that crosses the EU border, that is, there are additional requirements to be met for international data transfers such as treaties and/or certifications for data protection safeguards, and currently only a few countries meet such requirements. If your country doesn’t fulfil this requirement, the only way to offer goods and/or services to EU citizens is by ensuring that the personal data is confined to the EU, i.e., moving the relevant business operation to EU.
- If GDPR applies to you, you’re either a data controller, or a data processor, or both. A data controller determines the purposes and means of processing personal data and therefore the first point of responsibility. A data processor, on the other hand, is responsible for processing personal data on behalf of a controller. If you are not outsourcing data processing to another business (such as payroll service), it means you’re both data controller and processor. 3.1) The GDPR places specific legal obligations on data processors such as maintaining records and processing activities, with liability for data breach. 3.2) A data controller is not relieved of any obligations where a data processor is involved. 3.3) The GDPR places further obligations on a data controller to ensure that a GDPR compliant contract exists with a data processor. Note also that even computer software can be considered a data processor, so take advice if the software is handling personal data and a potential exists for data breach due to software bugs or program crash.
- GDPR advocates implementations based on the principles of privacy by design and privacy by default and, in fact, this is an effective design methodology well recognized by GDPR professionals. Privacy by design considers privacy from the initial design stages and throughout the complete development cycle of new products, processes or services that involve processing personal data. Privacy by default means that the default choices for consent presented to an individual (such as, settings on User Interface or other statements that amount to choices for consent) should be privacy-scoped. This is to say that the user should actively choose to opt-in (say, by ticking a check-box), and it is now against the GDPR law to make implicit choices with expectation that the user would opt out (say, by unticking a check-box).
- GDPR non-compliance by businesses and organizations can be fines of up to 20 million Euros or 4% of annual global turnover, whichever is greater. GDPR should have everyone’s attention at least for its hefty fines.
- Individuals in the EU have a number of basic rights with respect to personal data and privacy. These are: (1) the right to be informed explicitly how personal data is gathered, stored, used and shared; (2) the right to have access to personal data on request and free of charge to verify personal data held; (3) the right to be forgotten by withdrawing consent and get data deleted; (4) the right to data portability from one service provider to an alternative provider; (5) the right to have information corrected if out of date, incomplete or erroneous; (6) the right to object, without exception, to personal data from being used for direct marketing; (7) the right to restrict processing of personal data from being used, even if data still remains held; and (8) the right to be notified of any data breach that compromises individual’s personal data, with a notice within 72 hours of being aware of the breach. Translating all these requirements (which, by the way, accounts for a small percentage of the 99 Articles of GDPR legislation!) into IT system design and operation is not an easy task. GDPR requirements have major impacts on how IT systems are designed and put into operation, not only in terms of compliance, but as important, to make the IT system more responsive to the day-to-day operational requirements that the law stipulates (which is easy to understand in terms of the individual rights just summarised, and therefore suggesting a whole new ways for businesses to communicate with individuals as well as secure, report and amend personal data).
- There is special category personal data, also called sensitive personal data, that requires a high bar for processing. A data controller must determine that relevant GDPR conditions are met before beginning the processing of special category personal data.Special category personal data include: race, ethnic origin, political affiliation, religious affiliation, trade union membership, genetics data, biometrics data, health data, sex life, and sexual orientation.
- Disclaimer: Please note that GDPR is much broader than what is outlined above, which is intended to provide some basic background for what is discussed here in a rather narrow context. For instance, GDPR compliance with regard to children’s data protection, direct marketing, need for Data Protection Officer (DPO), etc. are all outside the scope of this discussion, and if required the complete GDPR documentation should be consulted.
Implications of GDPR on Cloud Services
Your cloud provider in most cases have done the hard work with regard to GDPR, such as securing the cloud infrastructure and providing data security control mechanisms, but it is your responsibility to ensure your cloud-based business complies with the GDPR law. The following summarizes some of the key points:
- What makes Cloud Computing stand out with regard to GDPR is the datacenters used by cloud services which are located around the world. This is because the GDPR law requires that all personal data on EU citizens must be either stored in the EU, or within a jurisdiction that meets special arrangements for sufficient safeguards of personal data as stipulated by GDPR. The relevant key points are items #1 and #2 listed above. If, as a business owner, you offer services based on the cloud that involves personal data, it means you must ensure your provider makes a guarantee that the datacenters for your business are based within the EU, or within jurisdictions that meet sufficient safeguards. For this very reason, many cloud companies (for instance, the file storage giant Dropbox, Inc.) have moved part of their operation into datacenters located in the EU.
- As per item #3 above, your cloud provider is your data processor. This calls for a GDPR compliant contract between you and your cloud provider (see item #3.3). When agreeing a contract, it is also important that you assert owning the data being processed and also make it explicit for data not be shared with any third parties. A competent legal counsel should be able to handle such matters, so it’s always wise to have legal advice, and most businesses (and certainly large ones) are well-equipped with this.
- It is worth emphasizing that the role of your data processor in the responsibility chain shouldn’t leave you in any doubt (see item #3). Outsourcing your infrastructure or platform to a cloud provider (as data processor) doesn’t exempt you from being liable; you need to make sure that you have the right security measures and GDPR compliance in place for your cloud based business.
- When it comes to GDPR implementations (see item #4 above) cloud platforms are no different from other IT systems, except that with cloud services you may have choices to make (which is a good thing!) as to what resources to deploy, with a degree of performance and cost optimization. This is where a new set of skills come in for the cloud era, and therefore the need for training or use of external consultants. For instance, to enable data encryption at rest and in transit, you may find different database types and encryption mechanisms to choose from, and with differing service packages, performances and cost. Your cloud solution architect and developers should be well versed with such matters for the whole design and implementation, including the GDPR privacy-by-design methodology.
- As you make your journey with cloud computing, there is a silver lining when it comes to GDPR. One of the daunting tasks of GDPR implementations with non-cloud IT systems is assessing compliance by discovering and auditing personal data (also referred to as security gap analysis). This is an intrinsic problem of legacy systems with personal data scattered all over the place (including paper work) and most likely without a centralized management. With your cloud journey, you can start with a clean slate and with privacy-by-design methodology central to your migration strategy, with clearly defined personal data footprint that can be centrally managed.
The new data protection regulation provides many rights to individuals, and the task of complying with this regulation falls upon businesses and organizations. This does create challenges but also opportunities to build deeper trust with your customers if approached with adequate preparation and implementation. Preparations include staff training, and as important is careful choice of cloud providers by checking out what they have on offer as a tool-kit to make your cloud and GDPR journey easier.
GDPR is not mere legal compliance, rather a continuous journey that is part of your IT systems development process as well as your business operations. GDPR is here to stay. A key part of the GDPR legislation is privacy by design and make this your guiding principle when developing any new cloud application as part of your business.
If you’ve got this far …
Finally, if you would indulge me, I have a shameless plug-in: Check out my GDPR app by the name GDPR Toolset which is available from Microsoft Apps Store. It is subscription based but you can give it a test drive, free of charge, for a couple of weeks. You can also search it in your Microsoft Store app on you PC.
And … if you’ve got this far, chances are you may have found this article useful. If so, show your appreciation by voting with thumbs-up 👍 at the top so that I get a more realistic indication of readers interest in what I share in my spare time.