The European General Data Protection Regulation – better known as GDPR – was rolled out in May 2018 and sets a new standard for data collection, storage, and usage among companies that deal with data of EU citizens. If a company processes EU citizens’ data, then it has to comply with the GDPR even if it isn’t based in a European country.
If an organization offers goods or services to, or monitors the behavior of EU residents, it must meet GDPR compliance requirements. That means most major enterprises with international operations must be in compliance, or they could face significant fines. The overall impact of GDPR on businesses has been huge, and permanently changes the way customer data is collected, stored, and used.
When it comes to the use of cloud services, GDPR-specific challenges arise for enterprises relating to the privacy of data stored in the cloud. It can be a particular challenge for enterprises to determine the applicable law regarding this data. With cloud computing the relation of data to a geographical location can be blurred, and it is not always clear where data are stored. This challenge becomes more difficult because of the volatility of data in the cloud. Data may be transferred from one location to the other regularly or may reside on multiple locations at a time. This makes it hard to determine applicable law and watch data flows.
Some companies have extended GDPR protections to all their customers, rather than utilizing one policy for EU citizens and one policy for the rest of the world. Microsoft, for example, announced that it would give all users control of their data under the new EU rules, including a privacy dashboard that lets any user manage their personal information.
While GDPR does raise numerous implementation challenges, it also offers the opportunity to excel by redefining and implementing new data protection and IT security strategies, especially in the context of cloud computing. Adopting a data protection-oriented mindset within companies can help better define and structure how business-critical workloads operate on cloud infrastructures.
If your enterprise is using cloud based services, it is necessary to have a thorough overview of your data – where it is stored, how it can be transferred and what access possibilities exist. The location of your company’s data is important to determine to ensure compliance with the applicable laws. You also want to check whether the security measures the cloud provider has taken are sufficient. Regular audits can be a good tool to insure compliance with GDPR standards.
As part of internal efforts, it is also good practice to update SLAs to include terms around compliance with GDPR. Again, both companies and their cloud providers carry some risk, and each can hurt the other if basic GDPR rules and processes are not followed.
Other steps cloud-utilizing companies can take to ensure GDPR compliance moving forward:
- Know the location where your cloud-based services are processing or storing data.
- Take adequate security measures to protect personal data from loss, alteration, or unauthorized processing.
- Close a data processing agreement with the cloud-based services you’re using.
- Collect only “necessary” data and limit the processing of “special” data.
- Don’t allow cloud-based services to use personal data for other purposes.
- Ensure that you can erase the data when you stop using the cloud-based service.
At Advantel Networks, we can help guide your organization to a cloud-optimized infrastructure built on best practices. To learn more, contact one of our cloud experts today!