Cloud Computing and GDPR: what you need to know
The data protection rules, laid down in the GDPR, also apply to data that you store in the cloud. And also via the many cloud computing services you use. What does this mean, and what measures should you take?
GDPR: the principles
In order to better protect the privacy of citizens in the age of the Internet, the EU adopted the General Data Protection Regulation (GDPR) in 2018. This set of rules provides detailed information on the processing of personal data.
This regulation, which has been in force in Belgium since 25 May 2018, can be summarised as follows:
- Citizens must give their consent for the processing of their data; they also have the right to access and amend their data and, in certain circumstances, to have them deleted.
- Companies are only allowed to collect the data they need to offer the services they provide, and only for as long as is necessary – after that, the data must be deleted.
- Companies must also store the data securely and notify the user as soon as possible in the event of any breach (leak, unauthorised access, theft, etc.).
- Companies that fail to comply with these rules may incur hefty fines (2 to 4% of their annual turnover, up to 20 million euros).
For further details about this regulation, please read: GDPR, what you should know as a Combell customer
The GDPR also applies when it comes to the various forms of cloud computing
In the meantime, like most other businesses, you must have fully updated your company policy to comply with this new regulation. But have you also thought about your cloud computing services? Because you too are undoubtedly using cloud computing services within your company.
Companies do not pay enough attention to this aspect. Recent studies show that the average European company uses as many as 608 cloud apps, but underestimates this figure by 90%. So how can companies using cloud apps ever hope to be fully GDPR compliant?
So… do not be too hasty to say that you are not involved in cloud computing, because you may be wrong! You too are probably using services such as Dropbox, WeTransfer, Salesforce or OneDrive. All these cloud apps store data from your company, your staff and your users in the cloud, which means the GDPR also applies here.
Or consider, for example, the hosting of your website or application, not forgetting the many cloud services that have been emerging in recent years. In our article ‘Cloud computing, what could it do for you?’, we go deeper into all aspects of cloud computing.
Remember that, as a company, you need to check whether your own structures comply with the GDPR, but you also need to keep an eye on those of your partners and (app) providers. We will take a moment to reflect on the two main cloud models on which the GDPR has a significant impact: cloud computing in general, and cloud apps in particular.
Do you want to find out if cloud computing is really the right solution for your company? We are going to list the pros and cons for you in this next article: Cloud computing: the pros and cons
GDPR and cloud computing: here is what you should bear in mind
- Data retention: data should not be kept longer than necessary. However, for some sectors, a certain retention date is mandatory. So check which retention period your CSP is using. Do not forget to take backups into account: data must be deleted there as well.
- Breach notification obligation: the GDPR determines what is considered a breach in the collection, retention and processing of data, but it is important that your CSP specifies the procedure it follows to notify you when a breach is detected (e.g. in the event of theft or a leak). Make sure you have control over external communications, so that you can notify your users and the supervisory authorities before the breach is widely reported in the media.
- Data sovereignty: all data of European citizens should either be stored in the EU, so that they are subject to European privacy law, or in a place where the same level of protection is guaranteed. So make arrangements with your CSP about the place where your data will be stored. If data sovereignty cannot be guaranteed in that place, you must take appropriate measures to ensure the privacy of the data.
- Portability: your users (data subjects) have the right to access their data and have them deleted. Your cloud provider must facilitate this by making these data available to you and/or your users in a structured format.
- Ownership: as a controller, you must retain ownership and control of your personal data at all times.
- Risk management: your CSP can have a Data Protection Impact Assessment (DPIA) that determines the risks associated with cloud hosting or services, but this is not mandatory.
- Metadata: Inquire what metadata your CSP collects, and whether you have the right to opt-out.
- Security: you obviously have no control over your CSP's IT environment. However, as a controller, you must be able to determine to what extent the CSP can meet your security requirements. The following items can help you confirm that your Cloud Service Provider meets the requirements with regard to security and Privacy by Design:
- The results of a DPIA (Data Protection Impact Assessment)
- ISO 27001 certification (information security management systems)
- ISO 27018 certification (code of practice for protection of Personally Identifiable Information (PII) in public clouds acting as PII processors)
Note: Combell currently complies with these requirements and will also achieve ISO 27701 certification later this year (ISO 27701 is the new standard that will replace the current ISO 27018 standard starting in the autumn of 2020).
The GDPR and the use of cloud services
When using cloud apps, you are also required to take the necessary precautionary measures to comply with the GDPR regulations. Make sure you follow these practical tips:
- Overview: make a comprehensive list of all the cloud apps and services you use in your business. Find out where they overlap and limit their use to the most efficient apps.
- Data location: find out where these apps store your data. Please note that the headquarters of the provider is rarely the place where your data are stored. Moreover, the data may be distributed across different data centres.
- Protection of data against loss, alteration or unauthorized processing. Ensure that the apps meet security standards.
- Data processing agreement: limit the use of cloud apps to those apps that you really need and that meet the requirements mentioned above. Enter into a processing agreement with the provider that ensures GDPR compliance. Of course, that does not guarantee that the provider really is GDPR compliant, as anything can be put on paper... But this agreement does show your commitment to protecting your data. Make sure the agreement includes the following provisions:
- Only the necessary data: the app provider may only collect the personal data of your users or staff that are necessary for the operation of the app. Pay particular attention when collecting ‘sensitive’ data, such as racial or ethnic origin, political opinions, religious beliefs, etc.
- Limited use: the data may only be used in connection with the app and may not be shared with other users.
- Ownership: the user remains the owner of his/her data.
- Portability: the app provider provides a procedure for the user to access the data collected about him/her.
- Data deletion: all data will be deleted immediately when you stop using the service.
Following these rules will require some effort at first, but it is definitely worth the trouble. After all, you can show your users that you are GDPR compliant, which will create confidence in your company. And keep in mind that the fines in case of non-compliance can be really expensive!
As a company, you need to check whether your own structures comply with the GDPR, but you also need to keep an eye on those of your cloud partners and providers.
Combell as a Cloud Service Provider
With Combell as a partner for your cloud services, you will be in good hands. For Combell is ISO 9001 certified, and since 2011, it has also been the first Belgian hosting provider to hold an ISO 27001:2013 certificate, which it obtained after an extensive independent Information Security Management audit. The solid guarantees offered in the Service Level Agreement we sign with our customers for cloud hosting or any other cloud services also include the various GDPR requirements. Any further questions? Our experts are available to answer them!