The General Data Protection Regulation (GDPR) compliance deadline of 25 May 2018 is fast approaching. The regulation provides organisations that process data through cloud services with some unique challenges and opportunities.
To make GDPR compliance successful, each organisation must first understand its implications. The GDPR provides a comprehensive framework for good information governance practices that protect personal data.
"It's a bit like a stick of Brighton rock," explained UKCloud's director of compliance and information assurance John Godwin at Cloudsec 2017. "It should be running through the heart of our organisation. It should be understood by everybody, regardless of which department they work in, or which functions they perform."
Data subjects need to be well-informed about the use of their data and trust that it will be processed securely and only for purposes of which they are aware. This can be a challenge in the cloud, as it isn't always clear exactly where the data is.
"We've got an increasing suite of data subject rights to entertain as well, and if we're using cloud services, we need to understand how our cloud services can help us deliver those rights," said Goodwin.
Privacy by design
The concept of privacy by design requires organisations to fully understand the implications of privacy rights so they can be built that into the cloud solution.
To assure privacy by design, organisations should conduct a data privacy impact assessment (DPIA).
"Getting a good DPIA in place is the way of identifying where your shortcomings are, and clearly communicating to your customers that their data is going to be safe as it traverses the various processeswithin the cloud," said Goodwin.
A DPIA should evaluate the data being used and how it's going to be protected. It should consider the location of any data repositories, the ways in which it's processed, and whether it's accessed by any third parties.
It also needs to take account of which countries are involved. If data is moved into countries that are beyond the remit of the GDPR, such as the USA, processors need to ensure that the data protection requirements for those countries are also adequate.
An effective DPIA will allow data subjects to make an informed decision on the use of their data.
Data processing rights
GDPR highlights six separate legal bases for data processing. The data subject's consent; rights given under the performance of a contract; compliance with legal obligations; protecting the vital interests of a data subject; public interest; and declared legitimate interests. Whichever justification is used needs to be stated to the data subject.
Consent must be voluntary, specific and unambiguous. Data subjects must properly understand the terms of their consent, and be able to revoke it as easily as they first gave it. Consent needs to be comprehensively recorded and stored in case evidence is ever required.
Sign up for Computerworld eNewsletters.