GlobalSign Blog

GDPR: What Cloud Service Providers Should Know

GDPR: What Cloud Service Providers Should Know

The European Union's General Data Protection Regulation (GDPR) may permanently alter the way data is stored in the cloud. Just within the last year, (May 2021) the European Data Protection Board (EDPB) approved the EU Cloud Code of Conduct with subsequent final approval by the Belgian Data Protection Authority. The EU Cloud COC applies to all types of cloud service providers – IaaS, PaaS, and SaaS – and lays out a set of compliance requirements that "enable CSPs to demonstrate their capability to comply with GDPR."

This is notable because of the high volume of business organizations which have already migrated their data in full, or at least in part, to a cloud-hosted platform. Cloud computing offers a higher rate of IT resource optimizations at affordable costs for businesses that are quickly scaling their infrastructure.

Unlike on-site data management that scales in cost as its scope increases, cloud computing comes at a contained cost that makes sense for many enterprises. Similarly, cloud hosting has become popular with services like Cloudflare in the US, and it works without a dedicated physical address and instead with a distributed network of hundreds of computers.

According to web developer Nathan Finch of Best Web Hosting Australia, cloud-based web hosting is the best solution if you want your website running quickly.

“One of the best parts of using Cloud based hosting is the second you want to up your speed all it takes is a quick request to the hosting company,” says Finch. “If uptime and the ability to scale very rapidly is a concern for your business, then you should seriously consider cloud based hosting. With cloud hosting you are able to access multiple servers which allow you to use different data centers and also keep your information private and secure.”

The appeal of cloud services makes it all the more important for these providers to understand how GDPR obligations affect their business, especially as more and more enterprises look to transform their systems and processes.

And as long as they are responsible for storing or processing the data of EU citizens, cloud providers should be mindful that they are adhering to GDPR. Here are a few key points to be aware of.

Disaster response and recovery must be well-defined

The GDPR aims to hold cloud providers more accountable for personal data they possess that is affected by breaches. A formal, well-defined breaching response and coordination plan are vital to cloud providers who need to comply with GDPR law.

It is the responsibility of cloud providers to include in their service agreement clauses that define breach notification obligations and protocols. These obligations and protocols are effective when an organization's key stakeholders clearly define business continuity, disaster recovery, and incident response processes before a data breach occurs. These processes, when clearly defined, provide a framework to respond to any incident in a timely and efficient manner.

Complications can, unfortunately, arise due to the fact that the GDPR requires that all personally identifiable information related to any person in a database be removed upon request. Handling these requests and securely wiping the requested data has to be done in a cloud environment as well as in an on-site data facility.

Cloud service providers need to create automated processes and routines that identify expired data and delete sets that are out of scope. Business associates should identify data that is in scope, as well as understand how long the data can be retained to remain compliant per their jurisdiction's laws. Keep in mind that the result of these requirements is a greater workload and a higher risk of human error, which can cause a business to violate GDPR law.

Rules for data retention across multiple locations

The GDPR, generally speaking, governs the lengths of time cloud providers may store personal data in their environments. This makes implementing retention particularly tricky for cloud providers, considering that the data they store is often in multiple jurisdictions and locations. Cloud service providers need a way to reliably manage data retention without violating GDPR law, and a good rule of thumb is to always make sure key IT stakeholders, as well as a Data Protection Officer (DPO), are involved in this process. Cloud service providers should also include in their contract agreements well-defined procedures for securely retaining data in the cloud under multiple jurisdictions once it's backed up.

Conclusion

GDPR obligations are something all cloud service providers must contend with in light of the EU's desire to harmonize Europe's regulatory atmosphere. Cloud service providers can address data privacy regulations like GDPR by clearly defining their disaster recovery process in the event they need to furnish regulatory documentation to the government and making sure they are following the guidelines for data retention, especially if they govern sets of data located within multiple jurisdictions.

Looking for more information on GDPR? Check out our other blogs and articles here:

How the Growing Number of EU Regulations Are Impacting Businesses Worldwide
GDPR Day in 2020 – Still No Silver Bullet
GDPR – 3 Years In (CPO Magazine)

Note: This blog article was written by a guest contributor for the purpose of offering a wider variety of content for our readers. The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of GlobalSign.

Share this Post