GDPR and the cloud

(Image credit: Shutterstock)

It's been just over four years since the EU's toughest data protection laws to date came into force. Since the General Data Protection Regulation (GDPR) was implemented across the continent, businesses have strived to work hard to stay compliant and avoid potentially crippling penalties.

This shift has come hand-in-hand with the explosion in the migration to the cloud, which poses particular challenges to businesses in the age of stricter data protection laws. Not only businesses themselves, but cloud service providers (CSPs), must be compliant with GDPR as these entity serve as key actors in storing and processing data.

With the enterprise cloud computing becoming integral to how the digital landscape functions, businesses putting their trust in CSPs should be certain these third-party companies are compliant with the EU’s data protection regime. There are strict requirements for holding a data subject's information, so making any major mistakes – or even flagrantly disregarding the rules – could lead to significant GDPR fines.

It might seem like a leap of faith to trust a CSP rather than operating everything in-house, but there are significant benefits in doing so, particularly as the volume of big data and big data analytics swells. This is why proper due diligence should be carried out when choosing a suitor to make sure that scale and growth are matched with compliance.

There are, of course, many more imperative factors businesses must consider when transitioning from fully on-premise IT infrastructure to cloud-based systems, so it’s worth considering the legal implications of data storage and processing before entering the minefield of cloud migration.

How has GDPR affected cloud computing?

Businesses must do their homework when it comes to making sure the external services and third parties they use are GDPR-compliant, particularly when a breach would expose your organisation to regulatory risk.

Your organisation’s data could be managed on servers beyond the EU’s borders, for example. In this situation, it’s key to understand whether this ‘third country’ has a data adequacy agreement in place. Securing the continued free flow of data is the primary reason why the UK implemented the Data Protection Act 2018 while cementing GDPR into British law as part of the European Union (Withdrawal Agreement) Act when implementing Brexit.

It’s important for businesses to take responsibility for determining not just whether their own structures and processes are above board, as far as GDPR is concerned, but also that their partners and suppliers are compliant.

Data management is also important. While enterprises may legitimately collect and store EU residents' data – providing they have permission from individuals to do so – GDPR guidelines state they cannot collect more than they need to complete a predefined purpose. If anything, it is good practice to have a handle on where sensitive data is stored, what it's used for, and for how long it's being kept.

These points can be addressed with service level agreements (SLAs) that can ensure a cloud provider is offering services that’ll enable enterprise operations and processes to remain within GDPR guidelines.

Assessing security with GDPR and the cloud


Understanding the economics of in-cloud data protection

Data protection solutions designed with cost optimisation in mind


Cyber security and the control over data is another really important area to focus on, particularly when it comes to what CSPs can offer and guarantee their customers. GDPR dictates that a company is considered the data controller, and is therefore responsible for keeping data secure whether it’s kept on its own servers or a cloud provider’s.

Should a company’s CSP fall foul of the regulations, the client company could still be held liable as the data controller. Organisations, therefore, must carefully consider the safeguards CSPs implement to ensure they remain as compliant with GDPR as possible, but also to avoid the potential of cyber attacks or data breaches.

As data breaches do happen, and the data controller is responsible for ensuring the protection of any personal information they hold, it's important that a company does as much as it can to secure said data before placing it within cloud apps and storage.

In a hybrid cloud environment where many cloud-based and on-premise apps and services might be used, it's important to ensure any services that aren’t compliant are blocked, and that data can’t be processed without permission. It’s also important to make sure that when a company no longer needs a particular app, that the data within it is retrieved or deleted.

How does GDPR and the cloud relate with Brexit?

After the UK left the EU on 31 October 2019, it was relegated to third country status under GDPR, although data flows were never disrupted, and the UK has since acquired a data adequacy agreement with the EU.

While UK businesses still need to follow the core data protection principles that make up GDPR, with the EU’s regulations baked into UK law, this might change in the coming months as the government seeks to tweak the rules on its own terms.

UK companies that continue doing business with counterparts based across the EU must still store these residents' data in a way that complies with GDPR, however, and the individual variances in the rules as set out by a given country.

On the flipside, EU businesses storing the personal data belonging to UK residents will not have to abide by GDPR specifically, but the UK's Data Protection Act 2018 until this is replaced with the next generation of data protection rules.

GDPR aims to limit the flow of data outside of the European Economic Area (EEA) unless there is domestic legislation in place that is approved by the EU. Initially, there were concerns it would take months, or even years, for the EU to strike an adequacy agreement with the UK.

The EU, however, announced a post-Brexit deal on data flows in June last year. Businesses and CSPs must closely monitor the state of the adequacy agreement, though, as it’s subject to change should the UK’s data protection regime deviate too far from GDPR.

Staying on top of compliance post-cloud migration

Once an enterprise has started to make heavier use of cloud-based services and infrastructure it's important to regularly carry out audits to ensure that the systems and services being used remain the right side of GDPR compliance.

Internal audits might seem like a tedious process, but they are a lot less painful and costly than finding out the company or one of its cloud services has breached GDPR and ends up facing an investigation from data regulators and potentially hefty fines.

Such auditing could also lead to spotting inefficiencies in a company's existing IT infrastructure and processes and enable streamlining measures to be taken to ensure both business and IT operations run in the most effective way possible.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.