In May of 2018 the General Data Protection Regulation (GDPR) came into effect across Europe, resulting in a host of changes to business processes and data management in businesses of all shapes and sizes. With a large number of actions to take, many will have focused on high-risk and high-visibility tasks, such as physical security measures, privacy policies and breach processes. As we move into 2019 the legislation is settling and business leaders and their advisers are beginning to understand the GDPR at a deeper level. Superficial compliance is not enough to mitigate risks, and the longer the law has been in force the less patient regulators (such as the Information Commissioner's Office) will be about failures to comply. Cybersecurity, access to data and compliance with territorial transfer restrictions are all elements of GDPR that we predict will be a focus for many businesses as we enter the new year. We've taken a look at how GDPR interacts with cloud solutions.
1. Backup and recovery
GDPR requires data controllers (in simple terms, those with control over personal data) to be able to restore personal data in the event of an accidental or malicious destruction event, whether physical or technological. For companies with disparate, disorganised or un-secure systems, breach of this requirement is a real possibility, meaning exposure to huge fines and other consequences. Cloud solutions can make recovery painless and quick.
Cloud backup services and solutions include fast recovery of lost data, with automatic backups taking place every few hours and enabling almost one hundred per cent recovery of lost work and information. Working with a cloud provider can give peace of mind day to day, as well as the support and comfort you need in the event of a data emergency, to ensure you don't fall foul of the strict requirements. At the same time, specialist IT providers know how to optimise backups without putting a strain on your IT infrastructure or internet connection.
Anyone who processes personal data within the remit of the GDPR is required to have appropriate security measures in place to protect it. As technology develops and evolves, keeping on top of the latest security measures can be difficult and time-consuming, not to mention expensive. Working with a provider who is committed to high-level data encryption and GDPR compliance allows you to focus on your product or service and your relationship with customers, rather than with your IT infrastructure.
Cloud service providers face certain challenges when it comes to security because of the movement of personal data between servers and systems. Without appropriate security arrangements, this can mean opportunities for third parties to unlawfully access your personal data. However, provided your cloud service provider has a strong plan in place for IT security, the advantages of having your data in one place, with a transparent data storage and transfer process, are likely to far outweigh the risks.
Data subjects are empowered by the regime, and have a number of rights including the right to access a copy of their data and to stop the processing of their data (subject to some exclusions). These requests have increased since GDPR, and are even being used where there is a dispute, including for example employment disputes or disputes with customers. Many companies find it difficult to respond to these requests, which require a thorough search of all data stored.
Most businesses have data and information in different forms in different departments, whether in hard copy notes or files, locally saved electronic files or backup disks, or on a shared drive or system. It can be difficult and time-consuming to search through all of the different sources in the event of a request, and in most cases it will need to be done promptly and in any event within one month of the data subject asking. Having a cloud solution enables faster responses to data subject access requests. Data can be stored securely in one place for ease of access.
4. Transfer of data
An important consideration in any cloud computing solution is the geographical transfer of data. Transferring data outside of the EEA should be carried out only very carefully and with appropriate contractual and technological measures in place, in order to comply with GDPR. Many cloud service providers have servers in locations across the world, meaning that personal data can be inadvertently shared outside of the EEA without an organisation's knowledge.
It can be difficult to determine which data protection laws apply to data at any given time, as data may be transferred between locations regularly as a consequence of changing storage and performance requirements. UK and EEA based cloud IT service providers are in a position to provide GDPR compliant storage and security solutions without fuss.
Data protection legislation such as the GDPR comes with a whole host of obligations and responsibilities. As many of these involve IT security elements, checking on your IT security in 2019 is highly recommended. As the legislation settles in, regulators will be less patient with those who have failed to take security and transparency seriously. As such it’s a good time to look into your storage and processing systems to ensure compliance. Cloud technology is a great place to start.