GDPR Compliance and Cloud Computing: Quick Checklist

GDPR compliance in the cloud raises many challenges for businesses attempting to comply with the EU’s new data security and privacy rule. Not only is it necessary for businesses using services hosted in the cloud to monitor their own compliance efforts, but also the compliance efforts of cloud service providers.

Prior to May 2018, the data security and privacy rules of EU member states were loosely based around an EU “Directive” that was issued in 1995 – almost a decade before Amazon released its first publicly-available cloud service. The Directive had the objective of regulating how the personal data of EU “data sets” was processed and limited how and when it could be transferred outside the EU.

Due to each member state interpreting the Directive differently, the EU-wide General Data Protection Regulation (GDPR) was passed in 2016. GDPR standardizes data security and privacy rules throughout the European Economic Community and affects every individual or organization that collects, stores or processes personal information regardless of where in the world they are located.

The Challenges of GDPR Compliance in the Cloud

Under GDPR, any individual or organization that collects data is a “Data Controller”. The individual or organization is responsible for the security of the data and for responding to access requests regardless of whether they process and store the data themselves or contract it out to third-party service providers – or use cloud-based services to process and store data.

Practically every business in the world uses cloud-based services every day – for example Office365, G-Suite, Slack and ZenDesk. Other cloud-based services – i.e. Dropbox and LinkedIn – are used by employees without the specific permission or approval of IT departments, leaving Data Controllers in the dark about which services are being used and how they are being used.

Therefore, in order to address the challenges of GDPR compliance in the cloud, Data Controllers should conduct an audit of every cloud service used. They should identify which are GDPR-compliant and formalize agreements with app providers and service providers with regard to data collection, storage, processing, retention and deletion. The use of non-GDPR compliant services should be prohibited.

GDPR Compliance Cloud Checklist

Businesses that use public clouds to process and store data (i.e. AWS, Azure, Google Cloud Platform. etc.) also need to formalize agreements with their public cloud provider. These agreements should be watertight, as – when data processing and storage services are shared in the public cloud – the risk of a data breach is enhanced. It is also important to know where data is being stored.

GDPR agreements are necessary with public cloud providers and cloud service providers because each individual or organization has to fulfil commitments to the Rights of Individuals made in its Privacy Policy. If an individual or organization is unable to fulfil its commitments, it could be sanctioned and fined by an EU member state´s Supervisory Authority.

Therefore, in order to help with GDPR compliance in the cloud, individuals and organizations should consult the following GDPR compliance cloud checklist – which, although not fully comprehensive in every scenario, provides a suitable starting point for most small to medium businesses.

Checklist 1: Cloud-Based Apps and Services

  • Conduct an audit of cloud-based apps and services used in your organization
  • Ensure you know where data processed and stored by third parties is located
  • Implement processes to recover and delete data as required
  • Execute agreements with apps and services used for data processing
  • Create policies to prohibit the use of non-GDPR compliant apps and services

Checklist 2: Public Cloud Providers

  • Check the public cloud provider has safeguards in place for data protection
  • Establish visibility into data collection to ensure it is only used for its intended purpose
  • Ensure Subject Access Requests can be fulfilled
  • Implement processes to recover and delete data (as above)
  • Execute agreements with public cloud providers