Despite it being punished under the Data Protection Act 1998, the penalty handed out to Equifax recently in reaction to their catastrophic handling of a widely reported data breach in 2017, has pushed the issue of data protection and the GDPR right back under the spotlight.
Did you get everything tied up before May 25th 2018?
According to surveys, it is unlikely.
[You might also be interested to read "5 GDPR Things to Consider for your MSSP Offering"]
One area which is often overlooked, particularly for small and medium sized organisations, is the cloud.
Whether it be cloud-hosted email services, managed security services, data storage or backup software, if it's used to process personal data, then it's in scope.
Data Controller & Processor
The first course of action when shoring up your GDPR adherence in the cloud, is to define the relationship with the service or provider in question.
The GDPR sees two distinctive roles; the data controller and the data processor. To simply things, a controller determines how personal data is to be processed, whereas the processor simply executes the instructions given to it by the controller.
A good example of this would be a cloud-based email provider. It will send and process emails which contain personal data at the will of an instruction by its owner; you. Thus making you the controller and it the processor.
[You may be curious to also read "How to Choose the Right MSSP Provider (Top 5 Criteria)"]
GDPR Contracts & Agreements
When striking up a controller and processor arrangement with a third-party or a cloud service provider there a number of things to define to keep everything above board:
- Document the processing instructions for your processor: It is likely that some of the cloud service providers may already provide this in their contracts, however you will want to verify this. Legally, a data processor should only be able to carry out instructed processing activities.
- Understand where personal data will be residing and being processed: Cloud services have the capability to be spread wide amongst multiple geographical regions for both cost and availability purposes. You will need to ensure that processing takes place in a country which is either covered by the EU regulation; or has adequacy laws.
- Define how you will execute data subject rights: Where a data subject has a legal right to view their personal data or prevent you from further processing, you as the data controller and the processor require a process which allows you to comply.
Note that this list is not exhaustive.
Incident Response & Data Breaches
One of the more interesting aspects of the GDPR is its peer enforcement. Under the regulation, the responsibility for a data breach and its fallout cannot simply be laid at the feet of the controller or the processor.
Both are seen as equally responsible for not vetting the other.
A data breach is a much wider term than most people appreciate, with some equating it to a network breach. However, a data breach includes: unauthorised access, processing, storage, manipulation and deletion. This means you simply giving a member of staff too much privilege which results in them being able to see personal data they shouldn't be allowed to, thus constituting a breach. Albeit one lacking in seriousness.
The regulation casts obligations on controllers and processors regarding their response to data breaches, which will require a high level of cooperation between the two when a data breach is likely to be fairly common.
You will need to ensure that your cloud service provider has a means and route to communicate with you about detected breaches. You will need to log these incidents and investigate them where necessary, sometimes reporting them to the supervisory authority.
[You might also enjoy reading "Cloud Hosted Software is more secure than your Data Centre (4 Reasons Why)"]
The supervisory authority will not act as a mediator between you and your controller/processor but will regard you as equally culpable. Therefore it is important that breach reporting and measures taken to reduce breaches are all clear from the outset.
A Careful & Measured Approach
In reality, cloud services under the GDPR are no scarier than any other processing activity. So long as you have prepared and agreed certain actions and responses with your processor, it is not necessarily any more of a risk.
Like any risk-driven standard, certification or regulation, the GDPR is looking for careful and measured approaches to handling personal data.
Whether that be cloud or not.