The European Union’s General Data Protection Regulation (GDPR) will enforce wide-reaching changes to the way organisations protect personal data. In doing so, the new laws will redress the balance of responsibility between data controllers and processors. Moving forward, data processors such as your cloud provider, will share accountability for protecting your customers’ sensitive data.
As the data controller, your business will retain overall responsibility for protecting customer data. However, this represents a huge change to current practices, increasing risk on both sides. With the enforcement date of 25 May 2018 fast approaching, it’s time to ask contractors handling your data about their approach to GDPR compliance.
Knowing the location of your data
The new regulatory regime will apply to every business that processes personal information within the EU. And, despite Brexit, organisations from outside the EU that offer goods and services to its citizens. To minimise regulatory complexity, GDPR will therefore tighten laws around cross-border data transfers. This means ensuring the servers of any data processor you hire reside in a country granted adequacy status by the EU is crucial.
Under GDPR, businesses must report data breaches that affect people’s right and freedoms within three days. Although penalties for failing to report a breach will be proportional to each infringement, fines could reach up to €20 million or 4% of global annual turnover.
The UK’s data protection authority, ICO, is insisting that businesses must only hire processors providing ‘sufficient guarantees’ that the requirements of GDPR will be met. Consequently, it’s possible that your business and a contracted processor could both be liable for failing to report a data breach. As controllers are ultimately liable for complying with GDPR, this could still apply if the blame lies with your processing partner.
Privacy by design
ICO is encouraging all businesses that handle personal information to consider data security not only at the start of a project, but throughout its lifecycle. Article 34 of GDPR also specifies that organisations don't need to declare a breach if the data has been protected against unauthorised access via encryption.
Although the duty of care starts with your business, GDPR represents an excellent opportunity for both data controllers and processors to adopt privacy by design. From improving encryption to developing new security policies, it’s important that your cloud provider is taking measures to make processing personal data more robust.
Rights of the individual
GDPR will provide individuals with more control over how businesses, collect, store and use their personal data. Customers will have the right to ask data controllers how their data is being held. In some cases, the right to be forgotten will also allow individuals to ask businesses to erase their data. For this reason, businesses will have a greater responsibility to ensure processors adapt their infrastructure or services to accommodate these increased rights for the data subjects.
What to look for in a compliant supplier
GDPR is raising the security standard cloud services need to meet. To ensure sufficient levels of protection are met, you will need to start questioning your providers more thoroughly before buying into a solution. Starting with asking whether they can access customer data in a timely manner, where your data is held, and if the company is educating their employees on all the key compliance requirements.