GDPR Compliance for Cloud Applications

The introduction of the General Data Protection Regulation, on 25 May 2018, has far reaching implications. These implications apply for any company across the globe, that is involved with the processing of personal data related to people who live within the European Union.

When it comes to Cloud applications, GDPR applies to both the data controller that uses the Cloud Application and the third party that provides the access to the Cloud. It seems that many providers are not aware of how GDPR affects them, or if they are, they are not doing enough about it.

Commvault recently conducted a survey. The results suggested that only around 12% of the 177 global IT companies asked were aware of how GDPR would affect them. Obviously this situation needs to be addressed. If these companies are to avoid large fines, they will need to demonstrate that they are GDPR compliant.

The Importance of Privacy by Design

Arguably, the most important thing for Cloud providers and users to be aware of, when it comes to GDPR compliance, is the concept of privacy by design. What this means, regarding data processing in the Cloud, is that data needs to be secure as it goes through every part of the processing procedure. Of course, companies need to examine every aspect of the way that they process data. Cloud usage is no different.

The most effective way to ensure privacy by design is to audit the data that is held, and examine processes that are in place. Doing this helps companies to identify any shortcomings in Cloud Applications, and ensures that they are addressed. It is a good idea to use Data Privacy Impact Assessments (DPIAs) to help identify risks and impacts, especially when the processing of sensitive personal data is involved.

It’s important that both data controllers that use Cloud Applications, and third party Cloud Application providers undertake the work provided to ensure compliance, as they can both be held accountable for any issues that occur.