GDPR in the Cloud

Welcome to the first of Privacy Specialist’s Monthly Newsletters, keeping it light about data privacy and what is really important in its world.

We know the world of GDPR is in a state of limbo after Brexit, spending has dropped due to Covid making us all tighten our belts and move to Cloud, while we understand the world has gone through a huge digital revolution as we start home working and the exposure that brings to an individual and a Business. (See our second edition for that)

This first edition focuses on the trials of moving to the Cloud and is sponsored by one of our Cloud migration Business partners 1Place, who make Cloud migration faster, and more affordable and recognise the need for Cloud as your Disaster Recovery solution. (www.1Place1Cloud.com)

All editions will give updates on the latest updates in GDPR UK vs EU via video links or articles, along with anything interesting from the ICO, including the latest fines, as we all like to see people being caught ??

If you would like to present an article, please do contact us and we look forward to any feedback via our LinkedIn company page: https://www.dhirubhai.net/company/privacy-specialists

Best Wishes, Doug, CEO @ Privacy Specialists

(https://www.dhirubhai.net/in/douglasforbes/)

GDPR & Cloud Computing

A shift towards greater use of cloud computing is well underway. Innovative products, mobile access to data, and affordable pricing structures are often cited as key drivers for an organisation to consider a move to cloud computing.

The ICO published the Personal information online code of practice in July 2010. The code explains how the DPA applies to the collection and use of personal data online. It provides practical advice for organisations that do business or provide services online.

Data Protection Act in Cloud

It applies to any processing of data, which includes the simple storage of personal data.

If you are currently a data controller, this will remain so if you move to the cloud.

Identifying the Data Controller

This can be quite complicated in the cloud, but ultimately the cloud customer defines who and how someone can process the personal data, so typically would be the data controller. The role of the cloud provider will be reviewed in a case by case but is typically a data processor. See ICO paper on Identifying controllers and data processors.

Always make a risk assessment and cost ROI on what data needs to be moved to the cloud and what should stay locally or be destroyed. The use of your cloud estate for DR and HA, coupled with the reduced cost to a business, should be the driver for the migration.

What to consider when selecting a cloud provider?

Security & Performance

There are very strong standards set out for compliance reasons and each should be considered, a provider would need to have these in place and the policies and procedures around these compliance requirements. Recommendations would be to carry out an external security assessment with a penetration test, test their physical security, and ask for their security compliance certifications, such as ISO27001, Cyber Essentials Plus and for a Quality of Service (QoS) history and guarantee

Business Continuity & Disaster Recovery

Does your cloud provider supply the required recovery time and point objectives (RTO & RPO) required by your business? Is there high availability failover so no real-time data is lost?

Geographic Control

Can your cloud provider guarantee your data is held within the UK, or within the EU/ EEA? If it does host in the US, and we’ve seen this with many HR systems(!), are the appropriate contract clauses in place?

Contracts

Finally, when you have considered all these factors, you need to make sure that your cloud provider, as a data processor, will cover all the requirements contractually and more:

• ?Must specify the data controllers requirements
• ?Must require the cloud provider to have adequate security in place
• ?Contract prevents sub-processing without consent
• ?The contract requires the cloud provider to assist in respect of regulatory queries by the ICO
• The contract requires the cloud provider to notify ???the data controller of data breaches and assist in the management of a breach with the agreement of timelines of 24 hours for this to allow the company to alert the ICO, within 72 hours, should it be required
• ?The contract requires the cloud provider to keep records of all processing activities
• ?The contract imposes a duty of confidentiality on relevant processor staff
• ?The contract requires the cloud provider to assist in complying with data subject rights:
• The right to be informed; The right to access; The right to rectification; The right to erasure; The right to restrict processing; The right to data portability; The right to object; Rights in relation to automated decision making and profiling
• ?The contract requires the cloud provider to inform the data controller if processing infringes GDPR
• ?A contract requires the cloud provider to delete/return ?all personal data at end of the contract with the cloud provider contracted to provide proof of destruction
• ?A processor must nominate a data protection officer/ manager as a contact point
• ?Processor to appoint (in writing) a representative within the European Union, if needed
• ?Only for suppliers outside of the EU/ EEA

For more information on any of the above areas on GDPR compliance, cloud migration, cloud disaster recovery, or auditing your cloud license costs please do contact us as we are happy to discuss and recommend the best way for you to approach such subjects