General Data Protection Regulation (GDPR) was passed by the European Union Parliament in April 2016. These regulations are designed to protect how EU citizens’ personal data is stored and used by organizations not only within the EU, but around the globe. Any company that processes data from EU citizens, no matter the company’s location of business, is subject to the new rules, which go into effect May 2018. Companies who are found to be in breach of the regulation may be subject to fines up to 4% of their annual global revenue, or €20 million, whichever is greater. Cloud providers, as well as the companies who use them, will also be subject to GDPR enforcement.
GDPR encompasses widespread changes to policy, including:
- Breach Notification: Companies must notify citizens within 72 hours of first becoming aware of the breach.
- Right to Access: Data subjects, as the GDPR website explains, have the right to obtain from the data controller information on how their data is being processed, where, and for what purpose. They must also provide a copy of this personal data free of charge, upon request.
- Right to be Forgotten: Data subjects have the right to require that companies erase their personal data, whether the request comes due to revocation of consent or simply because the data is no longer relevant to its original purpose.
- Data Portability: Subjects may receive their personal data which they have previously provided in a “common” format and may transmit this data to another controller.
- Privacy by Design: Data protection must be a focus in how systems are designed, and cannot be an afterthought. Companies must keep only the data required to complete the purpose, and limit employee access to that data to only those who need it to complete the processing activity.
Given that this regulation applies to any company doing business within the EU, and not only EU-based organizations, GDPR is expected to have enormous impacts on businesses. Companies must now know where data is being stored, at all times, and understand the limits of consent given to process that data. Furthermore, businesses will need to be able to ensure that they have a process in place for accepting data inquiries from citizens, as well as a method to provide data in a common format.
In addition, companies who are looking to move to the cloud will have another item to consider when evaluating different cloud providers. Questions to ask when considering a cloud provider, as it relates to GDPR, will be numerous. Can your cloud provider tell you where your company data is being stored? What access control policies does the provider have? When you purge data from a provider, does it remain stored anywhere as a backup? It will be critical to understand these processes, as well as to develop internal practices that comply with the new regulations.
These questions, and many more, are sure to arise as GDPR is rolled out in 2018. Stay tuned for updates and news relating to GDPR and its effect on cloud services providers on LiftrNews.com.