GDPR compliance and cloud based services – what you need to know

GDPR Compliance and Cloud Based Services – What You Need to Know

The GDPR law requires organisations to take appropriate measures to ensure the security of personal data, including managing data within the cloud. Organisations can be fined for breaching the law up to 20 million euros or 4% of global turnover, whichever is higher. There are some enhancements from the original Data Protection law such as the ‘right to be forgotten’ rules as well as the ‘data protection by design’ and ‘data protection by default’ rules making compliance somewhat of challenge.

One of the most underestimated compliance challenges that organisations face is that personal data is processed in an unstructured way, often shared through collaboration applications or stored on  mobile devices  which are outside the organisations control. This means that this data is not managed and audited appropriately and doesn’t comply with GDPR.

Organisations must:

  • Know which personal data are processed by users of cloud services
  • Identify the cloud applications used by the organisation’s workforce
  • Prevent personal data from being stored or processed in unmanaged cloud services
  • Protect personal data when stored or processed in cloud services.

The rules of the GDPR apply regardless of the means used to process the personal data. They apply to personal data stored on local servers, as well as on servers in the cloud. However, the cloud poses a number of specific compliance challenges to entities covered by the GDPR:

  • The GDPR requires that the people responsible for managing the data know the location where the personal data are stored or otherwise processed.
  • The GDPR requires that the data managers take adequate security measures to protect the personal data from loss, alteration or unauthorised processing.
  • The GDPR requires a ‘data processing’ policy as well as a privacy policy.
  • All cloud providers should amend their terms and conditions to comply with GDPR.
  • The GDPR requires personal data to be erased when the purposes of use have ceased to exist.

What Else Needs to be Considered?

The possibility to connect mobile devices to the organisation’s network has further increased the risk of non-compliance with the GDPR. The organisation is often not in a position to exercise control over such services and applications, and has to rely on the worker acting responsibly when accessing and storing personal data from the company’s network on his or her personal device and on the default settings of the device and the applications.  It is the responsibility of the organisation to make sure that policy around this kind of activity is implemented and adhered to.

If you want any more advice or information on your organisation becoming GDPR compliant, please get in touch with us – we’d love to help you with this process.