GDPR Compliance in the Cloud
With the upcoming onset of the GDPR, many companies are seeking to leverage their cloud services for GDPR compliance. The Microsoft Office Modern Workplace episode, ‘GDPR: What You Need to Know’ includes outlines to make this process painless. Companies want to ensure that those cloud services in use are compliant. The GDPR places a higher burden on companies storing data on Europeans, and for many businesses, this data resides in the cloud. Some important GDPR compliance considerations include building support for the consent requirement, rights to erasure and data portability, and 72-hour breach notification, among other GDPR requirements.
The good news is that cloud providers have not been standing still and they can be a valuable partner for a company’s compliance effort. The decision to utilize the services of cloud providers was likely made not only for the features they provide but because cloud providers can often implement security controls and procedures that would be cost prohibitive for a company to do on its own. Many cloud providers are actively considering how to comply with GDPR, and some have already adopted GDPR compliant practices.
Today, cloud services are not only present in organizations, they are often ubiquitous. One study found that European companies are using over 600 cloud services on average and it is likely that U.S. companies use a similar number of cloud services. So how do companies with such a large cloud presence comply with GDPR?
Assign compliance responsibility
The first step in the GDPR compliance effort is to identify which person or group will be responsible for ensuring compliance with GDPR. This may be different groups depending on the organizational culture or the business use of personal information.
According to Karen Lawrence Öqvist, CEO at Privasee, the group responsible may include legal, compliance, or even IT. IT is often the driver in companies where collecting data is not core to the business while legal often has a responsibility when there is an emphasis on the collection of personal information. No matter which person or group is chosen, someone must be accountable for bringing the company into compliance.
Identify cloud providers
The individual or group responsible for compliance must then determine which cloud providers are in use and what data is stored or processed on these cloud services. It can be tempting to reduce the scope of the process only to those that house data on Europeans, but this might be a short-term perspective. Companies must be careful not to limit their scalability and agility by staying on noncompliant systems because those systems may need to house such data in the future as the company evolves.
GDPR compliance can also be an opportunity to build a better relationship with customers. According to Brendon Lynch, Chief Privacy Officer at Microsoft, the increased control and transparency mandated by the GDPR can be a way to build and maintain more trust with customers. This is a benefit not only for European customers, but also those around the globe.
Once cloud providers have been identified, consider ways to consolidate services to reduce ease management and compliance with GDPR. Take the time to identify redundancies and standardize those services across the enterprise with a single provider. Tiered pricing models and bundling of services can reduce cost, but the primary driver for these changes is reduced complexity of data flows to and from cloud providers. Do not limit this analysis to cloud providers only. Consider also which activities are performed in-house and whether moving those operations to a GDPR compliant cloud provider would increase efficiencies or lower costs.
Gap analysis
Next, conduct a gap analysis of each cloud vendor. Vendor management or compliance groups may send out questionnaires to assess whether cloud providers have the capability to meet GDPR requirements and, if not, whether they have a reasonable plan on how to implement these capabilities before the May 25, 2018, deadline.
Mainstream cloud vendors have been some of the most proactive in implementing methods to secure data in their cloud service offerings and to do so in a way that is compliant with the GDPR. For example, in the recent Microsoft Office Modern Workplace episode, GDPR: What You Need to Know, the Office 365 prebuilt filters were demonstrated. These filters are already in place for personal data types such as those used by European countries. Administrators can use filters to define a policy that will automatically identify data in email, SharePoint, and other Office cloud services, and then take specific compliance actions.
Conduct privacy impact assessments
Privacy impact assessments should be performed on high-risk assets such as HR or financial data to ensure that this information is adequately protected with whichever cloud providers are storing or processing the data. Privacy impact assessments analyze what personal information the company is collecting, why it is collected, and how it is stored, used, and protected.
Document and train on procedures
It is not enough for the cloud provider to have the capability to comply. The company must be able to use these capabilities in their compliance strategy. For example, the option to remove or transfer personal data may be possible on a cloud system, but the company must document how to utilize these features if needed.
Persons or departments in the company must then be trained on how to perform these actions so that they will be ready and able when customers make data requests. Training alone is not sufficient to ensure that staff will meet the GDPR’s stringent 72 hour notification period. Here, simulation can provide more reliable assurance that incident response activities can be performed in compliance with the GDPR. Simulations should have incident response teams and cloud service providers work together to effectively investigating a data breach and gather information for notification.
Wrapping it up
Companies who wish to comply with the GDPR by the May 25, 2018, deadline are trying to understand where their data is, particularly that of Europeans, and how that data is handled. Cloud providers can be a great partner in this effort and companies should embrace their cloud providers in the effort to become compliant. Consider your cloud provider a core partner in your compliance rather than a liability and utilize what they have to offer in order to meet the GDPR requirements.
Special thanks to Microsoft Office, the sponsor of this article. As always, all thoughts and opinions are my own.
