With cloud computing becoming more widespread, the ways businesses migrate their data to the cloud as part of their digital transformation programmes are becoming hotly-monitored.
This is especially true since the introduction of the EU's General Data Protection Regulation (GDPR) in May last year.
But with cloud computing deemed the most effective way of storing data by many, due to its limitless scaling nature, what can firms do to ensure they're following the letter and spirit of the law when managing data remotely?
There are a number of important considerations businesses should take when opting to migrate from on-premise infrastructure to a cloud-based solution.
What effect has GDPR had on cloud computing?
Businesses must, of course, do their homework when it comes to making sure the external services and third parties they use are GDPR-compliant, particularly when a breach would expose your organisation to regulatory risk.
Your firm’s data could be managed on servers beyond the EU’s jurisdiction, for instance, without your knowledge that this information is being migrated beyond the Eurozone. In this situation, it’s essential you remain aware as to whether this ‘third country’ has a data adequacy agreement in place; in that its data protection laws are officially deemed compatible with the EU’s.
Businesses need to take responsibility under GDPR for not just determining if their own structures, but that of their partners and suppliers are compliant, or risk sustaining large fines.
Managing consents and establishing GDPR-compliant permissions is also crucial to legitimately processing the data of EU citizens. The laws state clearly that data cannot be used for any purposes beyond those which were stated when consent was obtained, and cannot be held for any longer that’s needed to fulfil these purposes.
The management of data is also important, as while enterprises may legitimately collect and store EU citizen data providing they have the permission from individuals to do so, GDPR guidelines state they cannot collect more than they need to complete a predefined purpose. If anything, it makes good practice to have a handle on where sensitive data is stored, what it’s used for, and for how long it’s being kept.
These points can be addressed with savvy service level agreements that can ensure a cloud provider is offering services that will enable enterprises to remain within GDPR guidelines.
Locking down the cloud
Another important area to really focus on is the level of security and data control various cloud providers offer and can guarantee. Under GDPR, a company is considered the data controller and is thereby responsible for keeping that data safe and secure regardless of whether it is kept on their own servers or those of a cloud provider.
Even if a cloud service is found to be in violation of GDPR, the client company could still be held responsible as the data controller, so companies will need to carefully consider the safeguards the cloud providers they are looking at can guarantee when it comes to GDPR compliance.
As data breaches do happen and the data controller is responsible for ensuring any personal information they hold, it is important that a company does as much as it can to secure any said data before placing it within cloud apps and storage.
So in a mixed IT environment where many cloud and on-premise apps and services might be used, it is important to ensure non GDPR-compliant apps get blocked and data is not altered or processed without authorisation, as well as making sure that when the company no longer needs a cloud app that the data in it is either retrieved or erased.
Tread carefully after cloud migration
Once an enterprise has started to make heavier use of cloud-based services and infrastructure it is important to regularly carry out audits to ensure that the systems and services being used remain the right side of GDPR compliance.
Internal audits might seem like a tedious process, but they are a lot less painful and costly than finding out the company or one of its cloud services has breached GDPR and ends up facing an investigation from data regulators and potentially hefty fines.
Such auditing could also lead to spotting inefficiencies in a company's existing IT infrastructure and processes and enable streamlining measures to be taken to ensure both business and IT operations run in the most effective way possible.