GDPR and the Cloud: What Major Enterprises Need to Know

by | Sep 6, 2018 | Cloud, Data Management

If there’s one thing you might remember from your email inbox in mid-2018, it’s probably all the privacy policy updates and businesses begging you to stay on their mailing lists. This upsurge in activity came from a European directive — the General Data Protection Regulation, or GDPR. This regulation also impacts IT cloud services and the organizations that use them.
We’ll dig into GDPR, what it means for your business, and the cloud services and enterprise solutions you use.

A Brief Overview of GDPR

Here’s a very quick summary of GDPR and what it means.

What GDPR Means for Business

The main GDPR impact on businesses like yours is how you handle customer data. It strengthens data protection rules, introduces tougher penalties, rationalizes data protection frameworks, and gives EU citizens more control over their data. GDPR applies to all personal information created by, about, or associated with EU citizens.

The Types of Businesses Impacted by GDPR

Any businesses and cloud vendors operating in the European Union or collecting data from EU citizens must abide by GDPR rules. Even if you’re not in the EU, if you collect data from EU citizens, GDPR applies to you.

IT Functions Impacted by GDPR

GDPR impacts three major functions in a business, data controllers, data processors, and data protection officers. Controllers state why and how data is managed, while data processors create, amend, manage, or store personal data. Data Protection Officers ensure businesses comply with GDPR rules when handling EU citizen data.

What the GDPR Means to Enterprise Cloud Storage

EU citizen data is often stored in the cloud, this means it can be accessible from anyone with the right credentials and authorization, wherever they are located. Because most cloud providers operate globally, vendors must be compliant with GDPR regulations.
If you operate within the EU or access EU citizen data from anywhere (including the cloud), your organization must also be compliant. For most GDPR regulations, that means getting data controllers, data processors, and data protection officers in place.

Data Controllers and Cloud Services

According to the EU, “The data controller determines the purposes for which and the means by which personal data is processed. So, if your company/organisation decides ‘why’ and ‘how’ the personal data should be processed, it is the data controller. Employees processing personal data within your organisation do so to fulfil your tasks as data controller.” In almost all cases, your business and certain designated teams, functions, or individuals will be data controllers.

Data Processors and Cloud Services

According to the EU, “The data processor processes personal data only on behalf of the controller. The data processor is usually a third party external to the company. However, in the case of groups of undertakings, one undertaking may act as processor for another undertaking. The duties of the processor towards the controller must be specified in a contract or another legal act.”
This means that your cloud service provider is typically a data controller, and you should check your legal contract with them to ensure you both understand responsibilities under GDPR rules.

Data Protection Officers and Cloud Services

GDPR regulations state that every organization that “processes or stores large amounts of personal data” must appoint a DPO. These individuals are typically senior managers. They oversee data protection in the business and make sure it meets GDPR regulations. This often means close collaboration with operations, IT security, and cloud vendors.

GDPR, Auditing, and Service Level Agreements

Make sure that you carry out regular audits of any personal data you’re storing on EU citizens, and that it is properly managed, tracked, and secured. Review your agreements with cloud vendors to ensure proper security and compliance rules are followed. Understand how GDPR regulations may impact on your operating and service level agreements, mitigate any adverse impact, and know what to look for in your GDPR solution if you don’t already.  
Here at Red8, we’re experts in cloud-based solutions for enterprises. We can help you navigate the minefield of GDPR, so if you’ve got any questions, we’d be delighted to help. Contact us today.