Sep 06 2018
We’ll dig into GDPR, what it means for your business, and the cloud services and enterprise solutions you use.
Here’s a very quick summary of GDPR and what it means.
The main GDPR impact on businesses like yours is how you handle customer data. It strengthens data protection rules, introduces tougher penalties, rationalizes data protection frameworks, and gives EU citizens more control over their data. GDPR applies to all personal information created by, about, or associated with EU citizens.
Any businesses and cloud vendors operating in the European Union or collecting data from EU citizens must abide by GDPR rules. Even if you’re not in the EU, if you collect data from EU citizens, GDPR applies to you.
GDPR impacts three major functions in a business, data controllers, data processors, and data protection officers. Controllers state why and how data is managed, while data processors create, amend, manage, or store personal data. Data Protection Officers ensure businesses comply with GDPR rules when handling EU citizen data.
EU citizen data is often stored in the cloud, this means it can be accessible from anyone with the right credentials and authorization, wherever they are located. Because most cloud providers operate globally, vendors must be compliant with GDPR regulations.
If you operate within the EU or access EU citizen data from anywhere (including the cloud), your organization must also be compliant. For most GDPR regulations, that means getting data controllers, data processors, and data protection officers in place.
According to the EU, “The data controller determines the purposes for which and the means by which personal data is processed. So, if your company/organisation decides ‘why’ and ‘how’ the personal data should be processed, it is the data controller. Employees processing personal data within your organisation do so to fulfil your tasks as data controller.” In almost all cases, your business and certain designated teams, functions, or individuals will be data controllers.
According to the EU, “The data processor processes personal data only on behalf of the controller. The data processor is usually a third party external to the company. However, in the case of groups of undertakings, one undertaking may act as processor for another undertaking. The duties of the processor towards the controller must be specified in a contract or another legal act.”
This means that your cloud service provider is typically a data controller, and you should check your legal contract with them to ensure you both understand responsibilities under GDPR rules.
GDPR regulations state that every organization that “processes or stores large amounts of personal data” must appoint a DPO. These individuals are typically senior managers. They oversee data protection in the business and make sure it meets GDPR regulations. This often means close collaboration with operations, IT security, and cloud vendors.
Make sure that you carry out regular audits of any personal data you’re storing on EU citizens, and that it is properly managed, tracked, and secured. Review your agreements with cloud vendors to ensure proper security and compliance rules are followed. Understand how GDPR regulations may impact on your operating and service level agreements, mitigate any adverse impact, and know what to look for in your GDPR solution if you don’t already.