GDPR and Cloud

What is GDPR?

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU)

You can find full text of GDPR here

Who should comply:

GDPR applies to all companies who do business in EU regardless of where they are located. Meaning - All major companies across the world are covered

Key Terms:

• Data Subject - People signing up for the service,
• Data Controller - Service provider
• Data Protection Officer - Someone who will ensure GDPR compliance

Key Features:

1. Right to Portability and Erasure: Data subjects may transfer their personal data between service providers more easily (also called the “right to portability”), and they may direct a controller to erase their personal data under certain circumstances (also called the “right to erasure”).
2. Reasonable Data Protection Measures: Requires companies to implement reasonable data protection measures to protect consumers’ personal data and privacy against loss or exposure.
3. Notification of Data Breaches: Controllers must notify SAs of a personal data breach within 72 hours of learning of the breach and must provide specific details of the breach such as the nature of it and the approximate number of data subjects affected. Data controllers to notify data subjects as quickly as possible of breaches when the breaches place their rights and freedoms at high risk.
4. Data Protection Impact Assessments: Requires companies to perform Data Protection Impact Assessments to identify risks to consumer data and Data Protection Compliance Reviews to ensure those risks are addressed.
5. Data protection officer: Any company that processes data revealing a subject’s genetic data, health, racial or ethnic origin, religious beliefs, etc. must designate a data protection officer. Also outlines the data protection officer position and its responsibilities in ensuring GDPR compliance as well as reporting to Supervisory Authorities and data subjects.
6. Penalties for non-compliance: Outlines the penalties for GDPR non-compliance, which can be up to 4% of the violating company’s global annual revenue depending on the nature of the violation.

How does this impact CSPs (Cloud Service Providers)?

Cloud Service Providers store various kinds of data. Cloud Services also transfer and import lot of personal data. All cloud service providers have been preparing for GDPR compliance for its services for many months.

AWS

AWS has GDPR center where all announcements are stored.

AWS has announced that all its services are GDPR ready

AZURE

While getting ready for GDPR, Azure also has made many guides and utilities available for its clients

AZURE will also help you streamline you GDPR requests. Read about it here

Google Cloud Platform (GCP)

GCP has listed its commitments to GDPR on its sites for variety of Google Services

GCP has created a resource center for GDPR compliance and can be found here

Among others, Oracle, IBM and Alibaba cloud has provided information on GDPR

Overall preparedness on GDPR is high. My expectation is GDPR will become baseline standard for protecting the data on cloud. Hopefully this information collection if useful for its readers.