How to ensure General Data Protection Regulation compliance in the cloud

UKCloud’s director of compliance and information assurance John Godwin gives his advice on preparing for GDPR.

By Tom Macaulay Sep 19th 2017 A-A+

The General Data Protection Regulation (GDPR) compliance deadline of 25 May 2018 is fast approaching. The regulation provides organisations that process data through cloud services with some unique challenges and opportunities.

To make GDPR compliance successful, each organisation must first understand its implications. The GDPR provides a comprehensive framework for good information governance practices that protect personal data.

"It's a bit like a stick of Brighton rock," explained UKCloud's director of compliance and information assurance John Godwin at Cloudsec 2017. "It should be running through the heart of our organisation. It should be understood by everybody, regardless of which department they work in, or which functions they perform."

Data subjects need to be well-informed about the use of their data and trust that it will be processed securely and only for purposes of which they are aware. This can be a challenge in the cloud, as it isn't always clear exactly where the data is.

"We've got an increasing suite of data subject rights to entertain as well, and if we're using cloud services, we need to understand how our cloud services can help us deliver those rights," said Goodwin.

Privacy by design

The concept of privacy by design requires organisations to fully understand the implications of privacy rights so they can be built that into the cloud solution.

To assure privacy by design, organisations should conduct a data privacy impact assessment (DPIA).

"Getting a good DPIA in place is the way of identifying where your shortcomings are, and clearly communicating to your customers that their data is going to be safe as it traverses the various processeswithin the cloud," said Goodwin.

A DPIA should evaluate the data being used and how it's going to be protected. It should consider the location of any data repositories, the ways in which it's processed, and whether it's accessed by any third parties.

It also needs to take account of which countries are involved. If data is moved into countries that are beyond the remit of the GDPR, such as the USA, processors need to ensure that the data protection requirements for those countries are also adequate.

An effective DPIA will allow data subjects to make an informed decision on the use of their data.

Data processing rights

GDPR highlights six separate legal bases for data processing. The data subject's consent; rights given under the performance of a contract; compliance with legal obligations; protecting the vital interests of a data subject; public interest; and declared legitimate interests. Whichever justification is used needs to be stated to the data subject.

Consent must be voluntary, specific and unambiguous. Data subjects must properly understand the terms of their consent, and be able to revoke it as easily as they first gave it. Consent needs to be comprehensively recorded and stored in case evidence is ever required.

It also needs to be retrospective. Understand the data you have to identify whether you need to go back to existing data and validate the consent.

A benefit of cloud is centralised consent. Some cloud applications allow citizens to login to a central portal where they can administer who sees their data and the consent they're giving, and easily revoke that consent if they desire.

"But there's also some cloud challenges here," said Goodwin. "You need to be working with providers to understand where data is. By its very nature, cloud involves distributed storage and resilient computing resources often moved around separate different countries or territories.

"If we're going to need to understand the consent is withdrawn, then how do we understand where all that data is? So it's important through engaging with a cloud provider that they can give you assurances that they actually know where those different siloes or repositories of personal data are physically located."

Data subject rights

Cloud providers will need to meet a number of new rights for data subjects also.

The right to subject access requests that allow individuals to find out about the personal data that is held. A data subject could write to the communication service provider (CSP) directly, or through the organisation that uses it, who would then contact the CSP. Either way, they would need to identify the data and respond within the designated timeframe.

The right to rectification allows them to have any data errors corrected. The right to data portability gives them the authority to transfer their information as they require, for example from one insurance company to another.

This must be done in common formats. They also have the right to object to processing if they don't approve of any usage, and the right to erasure, also known as the right to be forgotten. Procedures should be established to deliver each of these rights.

"We need to assess as cloud service providers whether our technical resources and our people are properly briefed, trained and equipped to meet those obligations," said Goodwin.

"GDPR introduces some fairly tight time frames. Most of them involve under 30 days, that's what you've got to play with in terms of understanding the request, validating the request, investigating the request, exporting the data and reply. That 30 days is going to fly by. We've got to make sure we're ready for that."

Electronic data can be harder to find than physical documents in a filing cabinet. This is particularly true of cloud data, which can be spread across backups, archives and copies shared with third parties such as Dropbox and Salesforce. The data in every repository needs to be clearly recorded.

Cloud providers may also have members of staff, data centres, parent organisations and processes scattered around the world. The flow of data between all of them needs to be protected.

"If you are using a cloud provider, you need to ask that question," said Goodwin. "You need to understand which countries are involved and whether or not they provide the right level of data protection framework for your data."

Data subjects should know where their data is being processed so they can make an informed decision about it and trust the organisation and digital platforms that back on to cloud.

New obligations

The GDPR introduces new maximum fines of £17 million or four percent of global annual turnover. These should be enough to convince the organisation's board to support their preparations.

Any breaches need to be identified to the national supervisory authority within 72 hours.

"If the breach involves a cloud service provider, then you're going to need their help as well," said Goodwin.

They will need to have the right resources in place in case this situation arises, including the necessary staff awareness that enables them to quickly spot any breaches.

Financial penalties will not be the only damage done. Breaches will be published, so errors can do lasting harm to the organisation's reputation.

CSPs will normally process data they don't own which is provided by their client. The GDPR will nonetheless give them joint and several liability, which means any aggrieved subjects can hold both the data controller and the relevant data processor responsible.

Reputable CSPs will willingly demonstrate their GDPR capabilities. Clients should ask them to do this to find out their level of preparation and address any concerns. They should be looking for contractual clarity, supported by detailed services definition.

The CSP should make it clear where the data is, who the point of contact will be, and how the CSP will help the client with any issues and requests. Most CSPs will have a Data Protection Officer (DPO) who will discuss the GDPR with their clients in detail.

How to prevent and spot breaches

Comprehensive staff training is essential. Everyone in the organisation should have the knowledge and integrity to understand and report problems.

There are tools available that can help. They include monitoring through firewalls and log files, role-based authentication, content scanning in emails and Data Protection Solutions (DLPs).

Regular security tests are necessary to ensure that there are no vulnerabilities in the solution.

"The more you do in terms of the planning and the technical validation and the personnel screening and the supply chain management, the less likely you are to be worried about breaching, fines, regulations etcetera," said Goodwin.

"So now is a good time to start thinking - if you haven't been doing so already - about what you could do proactively to minimise the opportunity for your organisation to be penalised for breaching personal data."

The regulators aren't the only people monitoring data use. Privacy activists are also growing in influence and will be watching out for any breaches. They will want to know where data is, what it is being used for, who has it, for how long they're going to keep it. Breaches could also lead to civil suits resulting in significant fines and legal costs of their own.

Websites should have appropriate privacy notices backed with DPIAs to tell people clearly and transparently what will be done with their data.

Specific data protection needs

Organisations that deal with citizen data need to look closely at the basis for consent, their record-keeping practises and methods for data disposal.

"If you're using cloud services, where is that citizen data?" asked Goodwin. "Do you understand that? Do your citizens understand that? Have you told them where the basis for processing is physically going to be?"

Staff also have their own rights under the GDPR. Employment terms and conditions should be revisited to ensure they understand the specific purposes for which their data is going to be processed.

They can also make their own subject access requests. Outsourced services, such as payroll, benefits or external training providers, will mean personal data leaving the organisational boundaries. Organisations also need to know everyone in the supply chain who has access to personal data.

The use of data within all them needs to be controlled and protected, for the benefit of both your organisation and the general public.