Xylos brands

What impact will the GDPR have on your cloud endeavours?

Introduction

The General Data Protection Regulations or GDPR came into force in April 2016. Some people think they are a thorn in the side of cloud providers, but I beg to differ. I regard these regulations as an aid rather than a threat to investment in the cloud.

What are the "GDPR" about?

In essence, the GDPR define the rules that apply to using and processing personal data of EU residents. They also apply to companies without an office or branch in the EU and irrespective of the context (private, public or commercial). Only the police and intelligence services can claim certain exemptions.

The GDPR therefore create a harmonised legislative framework for data protection within the European Union. And that makes the rules of engagement simpler for both European and non-European organisations. If you fail to comply, you risk heavy sanctions.

The principles

The new European regulations use five basic principles:

  1. One set of rules: the same regulations now apply in all EU member states and supersede the directives that might have varied in each member state.
  2. Responsibility and liability: the new basic principle is privacy by design and by default. Protection of personal information is no longer an option but an obligation. As an organisation, you now have prime responsibility for the data you process and store.
  3. Consent: do you want to use someone's information? Then you require consent in advance.
  4. The right to erasure: the existing right to erasure has been strengthened. From now on, anyone has the right to ask for his or her personal data to be deleted.
  5. Portability of data: everyone now has the right to transfer his or her personal data to another organisation. This must be in a commonly-used format so that data can easily be exchanged between organisations.

Impact

The GDPR applies to your organisation, irrespective of whether you store your data within your own four walls or in the cloud. What are the specific implications?

  • Data Protection Officer (DPO): every organisation must appoint a DPO. This person is responsible for compliance with the GDPR legislation.
  • Reporting data breaches: organisations must report any security breaches relating to personal data without delay. A data breach that is only reported years later - such as the Yahoo breach - will no longer be tolerated.
  • Sanctions: if you fail to comply with the rules, you risk heavy sanctions of up to EUR 20 million or 4% of your organisation's annual turnover.

GDPR in the cloud

But what about the cloud? Some time ago I spoke about Pizza-as-a-Service as a way of comparing the various cloud models. Today we are updating this recipe and baking a secured pizza.

Certain responsibilities will lie with you or your cloud provider depending on the cloud service you choose. At the end of the day, ultimate responsibility for the data lies with you. But that doesn't mean that cloud providers have a get out of jail free card. They too have to take sufficient precautions to secure the data infrastructure properly.

Information Security

The cloud can help you put the GDPR into practice. Various cloud services focus on information security.

Imagine your company sells a product containing an ingredient that is a commercial secret. You can encrypt this secret and only give the key to certain recipients. Then it no longer matters how you store your data. Even the most insecure infrastructure will do. Without the key, nobody can read it anyway.

Want to know more about security in the cloud?

Then make sure you watch the Xylos GDPR webinars. You will learn a hands-on approach to getting to grips with the GDPR rules in just two sessions.

This approach not only helps you map out the state of affairs in your organisation in a methodical way but Xylos also works on a strategy to help it comply with the applicable legislation based on the specific situation in your organisation.

Share this blogpost

Also interesting for you

Leave a reply

Your email address will not be published. Required fields are marked.