In a previous blog on General Data Protection Regulation (GDPR), I touched on cloud services, data ‘ownership’ and responsibilities, which prompted questions that I thought would be a good topic in this space.
If you are like many around the world, you’re looking into GDPR and finding you’ve got data in public clouds and/or you’re consuming ‘X as a Service’. How do you stand? What do you need to look at? Where does this leave your compliance plans?
Data Location and GDPR
The first thing you need to consider is your cloud suppliers’ stance on privacy and GDPR, which will vary by their location. Data sovereignty is an important issue today, and will become more important beginning May of 2018. Data is subject to the law where it resides, as demonstrated by a recent spat between the U.S. government and Microsoft. However, whether you’re located in the European Union (EU) or elsewhere – and if you hold and process data that applies to EU residents – you will have to comply with the GDPR. This is regardless of where you store your data. As stated in the regulations, that means personal data stored outside the EU must be offered ‘adequate’ protections in comparison with EU law.
The Privacy Shield agreement between the EU and U.S. was drawn up to be compliant with the GDPR. But how companies certify against it varies; they can just self-certify or use a third party, which means that finding out who has done what can be difficult. That said, those who go to the trouble of third-party certification are likely going to want to let you know. Public cloud services in the form of IaaS normally allow you to choose where your data resides, but it’s not always the case with SaaS. So do your homework.
Clearly this is a complex legal area – and getting advice on the level of ‘adequacy’ for the countries where your data is stored per each situation – is extremely important.
Accreditation and industry bodies
If your cloud suppliers are not compliant with the GDPR, then neither are you; so you need to speak to them and find out their plans. There is no GDPR ‘certificate of compliance’, so looking at the number certified staff (having passed an ISO 17024 accredited exam) and membership of bodies such as CISPE is a good indicator. If your cloud suppliers don’t have detailed plans or won’t share them with you, it might be time to consider an alternative – at least as a contingency.
Security and the cloud: A shared responsibility
As we’ve mentioned so many times, the GDPR is a people, process and technology issue. As such, cloud providers’ obligations will vary a lot under the GDPR, depending what they are doing for you. For example, as a data processor, a marketing SaaS provider may have obligations with regard to managing consent or providing tools to help with ‘Right to be Forgotten’ requests, whereas an IaaS cloud provider will not.
Security is also similar in this respect. With SaaS, other than good password security, it’s pretty much all down to the provider. For IaaS, it’s a shared area of responsibility. And you really need to be sure that if there is a breach, you can identify the cause. If negligence came into play, which party was responsible? It’s another complex area; IaaS providers don’t know what you’re doing with their cloud, so they can only go so far to protect you. If your cloud credentials and passwords are compromised, it’s almost impossible for a cloud provider to tell. That said, I still believe that the big cloud providers invest more in security than even large companies do, meaning that on balance you’re probably more secure in the cloud.
Ultimately, all cloud and service providers will seek to reduce their exposure or liability with regard to your data and GDPR – and they will push as much responsibility back to you and your business as they can. If you’re not paying them to do something, trust me, they won’t be doing it. It’s worth remembering this every time you make a choice for your data and setting it against the value of that data to your company. Only then will you have the best chance of staying properly protected and compliant.
When it comes to the GDPR, Commvault adds value in every one of these areas. It’s just as much at home in the cloud as it is on-premises; we can even help you with SaaS applications and GDPR. Learn more about our GDPR solutions, or contact us today.