On May 25, 2018, the General Data Protection Regulation (GDPR) went into effect across the European Union (EU).
The GDPR replaced the 1995 EU Data Protection Directive and set forth new rules for collecting, processing, and storing personal data by organizations operating in the EU. These regulations apply to any company that processes or intends to process the data of individuals in the EU, regardless of where that company is located.
Understanding GDPR and How It Relates to the Cloud
According to Flexera’s 2022 State of the Cloud Report, 57% of companies are moving more workloads to the cloud, while 47% have moved from on-premises software to software as a service (SaaS). This means that more and more organizations are collecting, processing, and storing the personal data of EU citizens.
GDPR cloud compliance should be top of mind for enterprises as they consider their cloud journey. To comply with GDPR, organizations must take a risk-based approach to data protection and implement technical and organizational controls to protect personal data from unauthorized access, use, disclosure, destruction, or loss.
When formulating a compliance program, you must ensure its backbone takes into account the seven GDPR principles, namely:
Lawfulness, fairness, and transparency
GDPR requires that data controllers process personal data lawfully, fairly, and transparently. This principle is achieved by ensuring GDPR compliance from the outset of any data processing activity.
For example, when collecting personal data from individuals, organizations must provide a GDPR-compliant privacy notice that outlines the specific purpose for which they will use the data. Data controllers must also ensure personal data is collected for a specified, explicit, and legitimate purpose and is not further processed in a manner that is incompatible with that purpose.
The GDPR requires that data controllers limit the processing of personal data to only those purposes for which it was initially collected. For example, if an individual provides their data to an organization to receive marketing communications, the organization would not be able to use that same data for any other purpose.
The regulation also requires that data controllers only collect and process the minimum amount of personal data necessary for the specific purpose for which it is being processed. For example, if an organization is collecting personal data to create a SaaS account, they would only need to collect an individual’s name, email address, and any other data necessary to deliver the service.
The GDPR requires that data controllers take steps to ensure the individuals’ data they are processing is accurate at that date. This principle is fundamental when personal information is being used to make decisions about an individual, such as eligibility for credit or employment.
The GDPR requires that data controllers limit the storage of personal data to only as long as it is needed to fulfill the specific purpose for which it was collected. If the data is needed to be kept for longer than the GDPR’s maximum storage time frames, justification must be provided and GDPR-compliant consent must be acquired from the affected individuals. The only exception to this principle is where data is archived in the public interest, historical research, and scientific or statistical purposes.
Integrity and confidentiality
Also known as the security principle, integrity and confidentiality requires that data controllers take steps to protect the personal data they are processing from unauthorized access, use, disclosure, or destruction. As such, measures must be taken to protect data from accidental or unauthorized access, destruction, alteration, or unauthorized use.
The GDPR requires data controllers to be accountable for their compliance with the regulation. This principle requires companies to take responsibility for their GDPR compliance programs and implement appropriate technical and organizational measures to protect personal data. Companies must also ensure their employees, contractors, and other individuals with access to personal data are aware of GDPR requirements and understand their role in ensuring GDPR compliance.
Also see: 9 Cloud Cost Optimization Strategies
Data Protection Challenges Posed by GDPR
Four years after the regulation went into affect, many organizations are still struggling with GDPR compliance – and in most cases, this relates closely to their cloud deployment.
According to a 2021 survey by Bloomberg Law that polled 140 law practitioners in large U.S. organizations, only 38% of respondents reported that their company was fully compliant. Moreover, most companies (41%) are still in the process of implementing GDPR, while a good chunk (12%) were not compliant.
Some of the challenges companies are grappling with include:
Competing privacy regulations
One of the biggest challenges is that the GDPR is just one of many privacy regulations companies must comply with. In addition to other national laws, there is a patchwork of state privacy laws in the United States, which is only likely to grow in the coming years. This situation is making it difficult for organizations to design and implement global privacy programs that meet all of their obligations.
The complexity of GDPR requirements
The 88-page law is complex and extremely detailed, and compliance requires a deep understanding of data protection law. Companies must also have robust systems and processes in place to ensure compliance. Getting third parties apprised of/committed to compliance is also a major issue.
GDPR compliance requires changes to business processes and the involvement of third parties. Implementing GDPR-compliant contracts with these parties can be time-consuming and challenging. In addition, fulfilling data subject requests has made day-to-day operations more difficult for many enterprises.
Improving organizational GDPR requirement awareness
Many companies are still struggling to understand the full extent of the regulation and, as a result, are at risk of non-compliance. This issue is compounded by the fact that GDPR enforcement is still in its early stages, and penalties for non-compliance are only now starting to be handed down.
Companies must ensure all employees are aware of the GDPR requirements and know how to comply with them. This may require training employees on the basics of data protection and implementing policies and procedures to ensure compliance.
Monitoring legal developments
Another ongoing challenge is keeping up with GDPR legal developments. The law is still evolving as courts issue decisions and regulators provide guidance. Organizations must stay up-to-date on these developments and ensure their GDPR compliance program evolves accordingly.
This can be a challenge, particularly for small and medium-sized enterprises (SMEs), which may not have the resources to dedicate to this task. However, failure to stay up-to-date with the latest rules can result in significant fines and other penalties, so it is essential that companies make sure they are aware of all relevant developments.
Also see: Top Managed Service Providers
Securing buy-in on budget and resources
One of the biggest challenges posed by the GDPR is securing buy-in from senior management on the budget and resources needed to comply with the regulation. In many organizations, compliance with data protection regulations is seen as a cost center rather than an investment. As a result, securing the funding needed to implement GDPR compliance initiatives can be challenging.
Obtaining requisite expertise
This can be difficult because GDPR is a relatively new regulation, and many organizations do not have experience with it. As a result, they may not know what steps to take to comply with the law. In addition, there is a shortage of qualified personnel familiar with the regulation and its requirements. Businesses may struggle to find the staff they need to comply with GDPR. They may also need to invest in training for their existing employees.
Additionally, some of the required data protection measures can be costly and time-consuming. For example, GDPR requires organizations to appoint a data protection officer and implement risk management processes. These requirements can be challenging for small and medium-sized organizations that do not have the resources to dedicate to data protection.
Tips for GDPR Compliance in the Cloud
Despite the challenges, organizations can take several steps to improve their GDPR compliance posture in their cloud computing usage. Here are a few tips:
Have a clear understanding of the data lifecycle
One of the critical things to keep in mind is the data lifecycle. Knowing where data comes from, how it’s used, and where it’s stored at every stage can help to identify any potential risks and take steps to mitigate them.
While this is easier said than done, one way to get this right is to use an identity data fabric solution to unify the disparate identity data of data subjects into a single global profile. This gives data security teams a more comprehensive understanding of user identification information in the environment and the controls in place to restrict access.
Another important consideration is the level of security needed to put in place to protect sensitive data. This will vary depending on the type of data involved and the potential consequences of a breach, but encryption and access controls are essential for protecting most data types.
It is also necessary to ensure all cloud-based services are GDPR compliant. This means working with service providers that can offer the appropriate level of data security, and that have implemented the necessary GDPR-related policies and procedures.
In addition, it is important to be prepared to respond quickly and effectively to any data breaches. This includes having a plan for notifying affected individuals and taking steps to mitigate any potential damage.
Educate employees and contractors on GDPR requirements
Untrained staff is often the weakest link when it comes to GDPR compliance. Compliance programs cannot be successful without the buy-in and cooperation of employees. Every member of staff needs to be aware of GDPR requirements and their role in ensuring compliance. This can be achieved through training programs, awareness-raising campaigns, and regular communications.
All staff who have access to customer data should be aware of their obligations under GDPR. This includes understanding what types of data are covered by the regulation, how to handle customer requests for access to their data, and how to delete data when requested.
It’s also important to ensure any contractors or other third parties are aware of their obligations. Make sure they understand the requirements and have implemented appropriate measures to protect data.
In particular, review vendor contracts to ensure any contract involving customer data transfer to a third party meets GDPR requirements. This includes specifying what type of data is being shared, how it will be protected, and what rights the customer has with respect to their data.
Conduct regular GDPR compliance audits
Regular GDPR compliance audits are essential for assessing current programs and identifying any areas that need improvement. These audits should be conducted by an external consultant with expertise in GDPR compliance.
An effective GDPR compliance audit will cover all aspects of an organization’s data management, from data collection and storage to processing and destruction. The consultant will assess current policies and procedures to ensure they align with GDPR requirements. They will also review data handling practices to identify any potential risks or vulnerabilities.
After the audit is complete, the consultant will provide a report detailing their findings and recommendations. Implementing these recommendations will help to ensure the organization remains compliant with GDPR.
Designate a Data Protection Officer
One key GDPR requirement is the designation of a data protection officer (DPO). A DPO is responsible for ensuring an organization complies with GDPR requirements and can be held liable in the event of a data breach. While the appointment of a DPO is not required for all organizations, it is strongly recommended for companies that process large amounts of personal data.
Beyond the GDPR
There are a plethora of data protection regulations that use GDPR as a benchmark but which have varying requirements. This has added to the regulatory complexity for companies.
For example, GDPR allows the transfer of personal information across international borders, provided adequate protections are in place, while China’s new Personal Information Protection Law (PIPL) doesn’t. Similarly, the GDPR states that organizations only need a lawful basis for collecting personal data from EU data subjects, whereas the California Consumer Privacy Act (CCPA) requires that companies offer consumers the option to opt-out of personal information gathering.
This calls for a meta-compliance strategy where companies doing business in locations with different data privacy laws have one set of controls compatible with all jurisdictions.