As your Managed IT Service provider, we can help you with assessing your organisation’s vital compliance needs.
The need for new data protection rules has been essential due to the massive amount of digital information we create, capture and store. And the fundamental purpose of the new GDPR is to update data protection laws for the digital age, bringing the onus back to companies.
Any individual, organisation and business that either controls or processes personal data will need to comply to the GDPR, which covers both personal data and sensitive personal data – the difference being that personal data broadly refers to information that can be used to identify a person, such as a name, address, IP address, and so on; sensitive personal data includes genetic data, information about religious and political views, sexual orientation, amongst others.
The GDPR law requires organisations to take appropriate measures to ensure the security of this personal data, including managing data within the cloud. Organisations can be fined for breaching the law up to 20 million euros or 4% of global turnover, whichever is higher.
There are some enhancements from the original Data Protection law such as the ‘right to be forgotten’ rules as well as the ‘data protection by design’ and ‘data protection by default’ rules making compliance somewhat of challenge.
One of the most underestimated compliance challenges that organisations face is that personal data is processed in an unstructured way, often shared through collaboration applications or stored on mobile devices which are outside the organisations control. This means that this data is not managed and audited appropriately and doesn’t comply with GDPR.
- Know which personal data are processed by users of cloud services
- Identify the cloud applications used by the organisation’s workforce
- Prevent personal data from being stored or processed in unmanaged cloud services
- Protect personal data when stored or processed in cloud services.
The rules of the GDPR apply regardless of the means used to process the personal data. They apply to personal data stored on local servers, as well as on servers in the cloud. However, the cloud poses a number of specific compliance challenges to entities covered by the GDPR:
- The GDPR requires that the people responsible for managing the data know the location where the personal data are stored or otherwise processed.
- The GDPR requires that the data managers take adequate security measures to protect the personal data from loss, alteration or unauthorised processing.