Who is responsible for GDPR compliance ?
The General Data Protection Regulation (GDPR) came into effect on 25th May 2018, across all the European Union (EU) member states, becoming binding on any organisation that stores or processes personal data of residents in the Economic European Area (EEA). Who is responsible for GDPR compliance – Cloud Service Provider or Organisation?
Who is responsible for GDPR compliance – Cloud Service Provider or Organisation?
What is GDPR?
The General Data Protection Regulation (GDPR) came into effect on 25th May 2018, across all the European Union (EU) member states, becoming binding on any organisation that stores or processes personal data of residents in the Economic European Area (EEA). It aims to ensure the protection of personal data and privacy of EU citizens by regulating how businesses manage personal data or information, obtained from their employees, customers, and partners.
What are examples of Personal Data?
Name, surname, home address, email address, id card number and location data are some examples of personal data. Company registration number, device id, general email address, anonymised data and IP addresses are some examples of data which are not considered as personal data.
How does GDPR affect cloud?
GDPR will definitely affect how organisations as well as cloud service providers manage personal data. It is crucial for cloud service providers to understand and adhere to the requirements of GDPR, and for companies, to choose only a GDPR compliant vendor as their service provider. Cloud providers will have to review and upgrade their underlying processes to be consistent with the requirements specified in the GDPR. Failure to do so attracts stiff penalties. For example, noncompliance with the provisions of this regulation can result in fines as high as €20 million or 4 per cent of global turnover, whichever is higher.
Role of the organisation/ consumer
Even with GDPR, organisations still need to be responsible towards ensuring the security of the data being handled by cloud service providers. However, it should not be difficult to comply with the requirements of GDPR if the data is moved to a cloud service provider with an existing compliant environment.
Ideally the organisation should control all data, with the cloud service provider simply acting as a medium to do so. Artmotion, being a cloud service provider, simply acts as a channel through which information is transmitted. It is our customers and their users though, who control the data that is transferred, routed, switched and cached across our networks.
Key focus areas towards ensuring compliance
Below are a few key things that any organisation needs to keep in mind, when availing services of a cloud provider:
- Ownership of all data: An organisation must ensure that it retains the control and ownership of the transferred data in accordance to the host-countries’ laws. Critical information, including the types of metadata collected by the cloud service provider, security of the metadata, ownership rights, and rights to opt out of collection or dissemination of metadata, and the intended uses of the metadata should be available to the organisation.
- Awareness of data storage location: Organisations need to be aware of where the data is being stored/ processed by the cloud service providers. This would prevent the transfer of personal data to countries and international companies outside the EEA.
- Proper data protection and threat security: The organisation must carry out an assessment of the IT security and privacy controls put in place by the cloud provider to protect the customer’s data. It needs to ensure the service providers have taken adequate security measures viz., storage encryption, firewall, SSL etc., to ensure the safety of the personal data.
- Specificity of personal data collection: While getting into an agreement, it also needs to specify that only the personal data information necessary enough for the provision of the services is collected.
- Erasure of data after contract termination: The organisation also needs to ascertain that in case of termination of services, the cloud provider ensures the erasure of personal data relating to the organisation, the earlier the better.
The road ahead
Under the new regulation, data security and privacy is a shared responsibility between organisations and cloud service providers. The organisations are expected to do due diligence on security and privacy of the personal data. They should be implementing necessary technical and enterprise measures to ensure that all data processing is GDPR compliant.
Similarly, the cloud service providers must strictly adhere to GDPR, guaranteeing security and safety of all the data being processed as well as granting full data ownership to the organisations. At Artmotion, we have underlying processes, procedures, and technology compliant to GDPR, which just leaves organisations with careful handling of their data only.