Cloud providers may also have members of staff, data centres, parent organisations and processes scattered around the world. The flow of data between all of them needs to be protected.
"If you are using a cloud provider, you need to ask that question," said Goodwin. "You need to understand which countries are involved and whether or not they provide the right level of data protection framework for your data."
Data subjects should know where their data is being processed so they can make an informed decision about it and trust the organisation and digital platforms that back on to cloud.
The GDPR introduces new maximum fines of £17 million or four percent of global annual turnover. These should be enough to convince the organisation's board to support their preparations.
Any breaches need to be identified to the national supervisory authority within 72 hours.
"If the breach involves a cloud service provider, then you're going to need their help as well," said Goodwin.
They will need to have the right resources in place in case this situation arises, including the necessary staff awareness that enables them to quickly spot any breaches.
Financial penalties will not be the only damage done. Breaches will be published, so errors can do lasting harm to the organisation's reputation.
CSPs will normally process data they don't own which is provided by their client. The GDPR will nonetheless give them joint and several liability, which means any aggrieved subjects can hold both the data controller and the relevant data processor responsible.
Reputable CSPs will willingly demonstrate their GDPR capabilities. Clients should ask them to do this to find out their level of preparation and address any concerns. They should be looking for contractual clarity, supported by detailed services definition.
The CSP should make it clear where the data is, who the point of contact will be, and how the CSP will help the client with any issues and requests. Most CSPs will have a Data Protection Officer (DPO) who will discuss the GDPR with their clients in detail.
How to prevent and spot breaches
Comprehensive staff training is essential. Everyone in the organisation should have the knowledge and integrity to understand and report problems.
There are tools available that can help. They include monitoring through firewalls and log files, role-based authentication, content scanning in emails and Data Protection Solutions (DLPs).
Regular security tests are necessary to ensure that there are no vulnerabilities in the solution.
"The more you do in terms of the planning and the technical validation and the personnel screening and the supply chain management, the less likely you are to be worried about breaching, fines, regulations etcetera," said Goodwin.
Sign up for Computerworld eNewsletters.