A rapidly increasing number of companies are relying on the cloud to do the heavy lifting for them when it comes to data storage and their general IT strategy. However, moving data you control to the cloud, generally means you’re stepping out of a system that you directly control and this has consequences under the GDPR. Your data protection responsibilities can be managed effectively if you take some time to sketch out a plan before you move to the cloud, both in terms of day-to-day management of your responsibilities and any new processes you’ll have to implement, to ensure they are effectively discharged.
To comply with the GDPR, your data must be stored either in a country which is subject to the regulation’s requirements or in an approved third country. You are also responsible for carrying out due diligence and ensuring that the cloud hosting provider that you have selected meets your standards for data protection. You could be held accountable if you transfer information to a server that has inadequate security provisions, and later suffers a data breach incident.
You’ll also be responsible for ensuring that data remains secure outside of your company structure. This means introducing appropriate safeguards to stop your data being accessed by anybody without correct authorisation and making sure that all data remains under your control, and cannot be copied to other parts of your cloud host’s system without your knowledge.
If your business is already GDPR compliant in its internal procedures, then your main focus should be ensuring that your existing procedures are effectively replicated to your new cloud setup. Again, this means that you’ll have to choose the provider of your cloud infrastructure carefully, and ask them detailed questions about how they ensure that their setup is GDPR compliant. Take time to ensure they understand your structure and any non-standard steps which the nature of your business, staff or client base requires you to take, to ensure full compliance with the GDPR.
If your internal procedures are not fully GDPR compliant, then there are a number of areas which you should consider in tandem with your cloud services provider to ensure your new setup meets the required standards. Firstly, ensure that you’ll be able to operate a data retention policy that’s fully compliant. You should not store data for longer than is necessary, and it should be removed from all of your systems, including any cloud systems that you may be using as part of your data processing setup.
You should also be confident that you’ll be able to quickly and effectively remove data from a system when the data subject asks you to, and that no copies of that data will be retained once you’ve made the removal request.
You’ll also have to consider human factors around who has access to the data, and what they’re able to do with it. As a general rule, undoubtedly you should limit the number of people who have access to the data stored in your cloud environment as much as possible. Avoid giving blanket access to anyone who doesn’t need it, just because the setup process is simple. If you’re lax in making and applying these rules when you’re setting up your cloud environment, you could be held liable at a later date if personal information becomes misused.
Taking time to properly set up and consider the implications of your move to a cloud-based system could save you from serious problems further down the road. Proper planning is the key to a safe and successful cloud environment.