Cloud can help complying with GDPR | Cyber Risk | Deloitte Netherlands

Article

Cloud can help complying with GDPR

Part 4: Leveraging cloud benefits in a responsible way

Cloud computing has reached a level of maturity and usefulness that many company executives never imagined. But the cloud also brings new risks. These need to be managed properly if an organisation wants to unlock the cloud’s full potential. In this blog series, we help you to stay in control—responsibly—while enjoying the benefits of the cloud.

Written by Jan-Jan Lowijs & Alex Tolsma

Data privacy is one of the biggest concerns when it comes to cloud computing, fuelled in part by media coverage of data leaks and customers worried about their personal data once it becomes cloud-based. 

These concerns, though, are not always justified. On the contrary, if your organisation responsibly manages challenges around data privacy and the cloud, GDPR compliance becomes even easier than when your data remains on site.

This is why

According to the GDPR (General Data Protection Regulation), you are obliged to tell your customers which personal data you are processing. It’s easier to comply with this rule if you’re hosting customer data in the cloud, where data is better structured. 

Another advantage of hosting your data in the cloud is security. As we wrote in an earlier blog, the applications and solutions offered by the biggest cloud service providers are now just as secure or even more secure than their on-premise counterparts. Because of their scale, these providers can offer 365-day round-the-clock service for fixing security vulnerabilities and bugs—and they can do it better and cheaper than you can. 

In addition, cloud providers have good back-up strategies, meaning the availability of your data is guaranteed. 

 

Choosing the right provider

The most essential part of responsibly implementing your cloud strategy — so that you can profit from all its advantages  — is choosing the right provider. We regularly meet companies that base their choice primarily on price. But don’t join this race to the bottom. The most important selection criterion should be: How does the provider deal with your data? Does it store it on shared-storing premises? In which geographical location does the provider store your data? And how cooperative is the cloud provider? 

We recommend trying to negotiate a tailored contract with incorporated clauses regarding privacy commitments and agreements about the controller-processor relationship. However, at bigger cloud providers, these customized contracts aren’t always available. Still, you should expect them to tell you exactly which services you should or shouldn’t use in order to comply with the laws and regulations that apply to your particular situation.

The best providers know the importance of data security and comply with the GDPR security requirements. They know the applicable law for your data. Breach notification obligations and protocols are included in data processing agreements with good cloud providers. They also update you proactively if they adjust their data processing. Part of your selection process can include a Data Protection Impact Assessment (DPIA) and a security assessment. Is the designated provider able to comply with your IT security requirements? 

Remain in the driver's seat

Even if you have chosen a trustworthy cloud service provider, you cannot just sit back and relax. As the controller, you remain responsible for the processing of personal data, even if this processing takes place in the cloud. You must set up controls that keep your privacy and security officers up-to-date on changes in data processing and applicable laws and regulations. Responsibly leveraging cloud benefits means that you remain in the driver’s seat.

Let's connect

Deloitte has helped many organisations understand the impact of cloud computing on business continuity management. Do you want to know more about GDPR-specific cloud challenges and how to approach them? Please contact Dave Klingens or Jan-Jan Lowijs via the contact details below.

Did you find this useful?