5 Questions (and some answers) for GDPR compliance in the Public Cloud

There are unsurprisingly a lot articles being written about GDPR compliance and offering advice on what you should do to ensure you are compliant by 25th May this year.

However, there doesn't seem to be much information that's specifically related to apps and services based in the public cloud.

As well as the obvious advantages of cloud computing, there are some elements that may make GDPR compliance in the public cloud potentially more challenging than for on premise or private cloud systems. 

I've put together a list of 5 questions and answers that you will need to be able to answer and document as part of GDPR compliance in relation to public cloud workloads.

Some of these may seem very obvious (its probably a good sign if that's the case!)

Disclaimer: 

This is purely information I have pulled together from various sources that I've found helpful.

Nothing included here should be considered advice, this is more of a conversation starter and a suggestion of areas that you may need to focus on to assist in achieving GDPR compliance in the cloud.

GDPR compliance is a large and potentially complex task and the following are only designed to compliment your existing GDPR work. There are many tasks, documents and evidence you will need in addition to anything referred to here.

Lastly, you may also find that not everything referred to here is relevant or required for your own organisation. There are various guides and documents available to help scope this based on your own circumstances.

Questions

1) Probably the most obvious: Do you have record of all the cloud apps & services your business currently uses?

You will of course know if you are managing systems in Azure, AWS or Google Cloud, but what about cloud based apps? Salesforce, Box, Dropbox, WeTransfer, even Sage can all be cloud based for example. Its not unheard of for apps to find their way into an organisation without IT's involvement! Have you got a record of all of these?

2) Of the cloud based systems you have, which of these store personal data?

From the cloud based systems you have, you will need to understand if any store data that is classed as 'personal' or 'sensitive personal data'. Definitions on these can be found here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/

3) Many possible locations for apps & data to reside in. Do you know where all of your data is held? .

Is any of it outside the EU for example? If either your customers or your systems are located within the EU, you will need to ensure GDPR compliance.

4) Following on from the above: Do you have control / visibility of how your data can move between different regions / countries?

To make things more complicated, you will not only need to be aware where your data is held now, can this change without you being aware? It quite possibly can. A lot of cloud based systems and services will make use of Geo Redundancy, content distribution and other load balancing technologies that could be relevant. 

5) Global presence - usually a positive thing for cloud systems - you can serve customers from around the world, Do you know / control where each system you have is accessed from?

For example, can you ensure that data cannot be accessed from outside of the EU? Is there anything stopping someone using legitimate login details from other countries?

Some suggested actions

1) Make sure you know the location where your cloud systems are processing or storing data. GDPR limits the ability of entities covered by the GDPR to transfer the personal data to recipients outside the European Economic Area (EEA). It's advised to perform a discovery task / project to understand:

1. Which apps / services is your business using?
2. Where does each app / service store its data? 
3. Does the app / service allow for the transfer or movement of data into or out of the EEA without your intervention.
4. A data privacy impact assessment (DPIA) could be used to cover most of these items: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/

2) Take adequate security measures to protect personal data from loss, alteration, or unauthorised processing.You need to know which apps meet your security standards, and either block or institute compensating controls for ones that don’t. There are various tools that can automate this for you if its too big a task to be tackled manually.

3) Create a data processing agreement to cover the cloud apps & services you’re using. Once you are happy you have discovered all the cloud based services & apps in use in your organisation, you will want to execute a data processing agreement to ensure that they are adhering to the data privacy protection requirements set forth in the GDPR. SalesForce has a dedicated part of their site to assist customers with this for example: https://www.salesforce.com/uk/campaign/gdpr/ 

Most 3rd party apps should have something similar. If the app or service is in house, you will obviously have to create this yourself! You will also need to show that you collect only “necessary” data and limit the processing of “special” data. This is generally covered by specifying in your data processing agreement that only the personal data needed to perform the app’s function are collected by the app from your users or organisation only.

5) Make sure that cloud apps / services are not using personal data for other purposes. Ensure through your data processing agreement, as well as verify in your due diligence, that apps state clearly in their terms that who owns the data and that it is not shared the data with third parties.

6) Ensure that you can delete the data when you stop using the services. Make sure that the service / app’s terms clearly state that you can download your own data immediately, and that the app will erase your data once you’ve terminated service. If available, find out how long it takes for them to do this. The more immediate (in less than a week), the better, as lingering data carry a higher risk of exposure.

If you have answers or solutions for all of the above and the correct documentation to show it, it will hopefully help as part of a larger GDPR compliance project. It will be interesting to see how much work is involved in maintaining GDPR in future as more apps and services start to leverage the cloud and distribute data globally. Interesting times!