It also needs to be retrospective. Understand the data you have to identify whether you need to go back to existing data and validate the consent.
A benefit of cloud is centralised consent. Some cloud applications allow citizens to login to a central portal where they can administer who sees their data and the consent they're giving, and easily revoke that consent if they desire.
"But there's also some cloud challenges here," said Goodwin. "You need to be working with providers to understand where data is. By its very nature, cloud involves distributed storage and resilient computing resources often moved around separate different countries or territories.
"If we're going to need to understand the consent is withdrawn, then how do we understand where all that data is? So it's important through engaging with a cloud provider that they can give you assurances that they actually know where those different siloes or repositories of personal data are physically located."
Data subject rights
Cloud providers will need to meet a number of new rights for data subjects also.
The right to subject access requests that allow individuals to find out about the personal data that is held. A data subject could write to the communication service provider (CSP) directly, or through the organisation that uses it, who would then contact the CSP. Either way, they would need to identify the data and respond within the designated timeframe.
The right to rectification allows them to have any data errors corrected. The right to data portability gives them the authority to transfer their information as they require, for example from one insurance company to another.
This must be done in common formats. They also have the right to object to processing if they don't approve of any usage, and the right to erasure, also known as the right to be forgotten. Procedures should be established to deliver each of these rights.
"We need to assess as cloud service providers whether our technical resources and our people are properly briefed, trained and equipped to meet those obligations," said Goodwin.
"GDPR introduces some fairly tight time frames. Most of them involve under 30 days, that's what you've got to play with in terms of understanding the request, validating the request, investigating the request, exporting the data and reply. That 30 days is going to fly by. We've got to make sure we're ready for that."
Electronic data can be harder to find than physical documents in a filing cabinet. This is particularly true of cloud data, which can be spread across backups, archives and copies shared with third parties such as Dropbox and Salesforce. The data in every repository needs to be clearly recorded.
Sign up for Computerworld eNewsletters.