Understanding GDPR and cloud computing
Deloitte on Cloud Blog
As enterprises embrace public clouds, and thus store data in diverse environments, there is a need to understand the regulatory and legal considerations of each aspect. So, what do you need to know?
April 5, 2018
A blog post by David Linthicum, managing director, chief cloud strategy officer, Deloitte Consulting LLP.
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to unify data protection for all in the European Union (EU). Additionally, they also address the export of personal data outside the EU, which is where international cloud users are getting concerned.
GDPR includes aspects that address what data is being housed and where, how it is secured, and the flow of how users access and use it. As enterprises embrace public clouds, and thus store data in diverse environments, there is a need to understand the regulatory and legal considerations of each aspect.
So, what do you need to know?
First of all, GDPR defines several roles that include the data controller, data processor, and data protection officer (DPO). These are important when considering compliance in and outside of the country where the EU residents’ data resides.
The data controller defines how personally identifiable information (PII) is processed and for what purpose. You can think of them as governance by humans who enforce predefined policies and procedures.
Data processors maintain and process personal data records. This may not be the best job in the world since the GDPR holds processors liable for breaches. This is important when considering the use of cloud-based platforms because it’s possible that both your company and cloud providers will be held liable for noncompliance.
The DPO is a mandated role for any company that stores and processes EU residents’ data. It’s the designated person to educate the company leveraging cloud (or not) to ensure GDPR compliance. Also another un-fun job. They are the contact point for regulators if there are concerns or violations. In other words, they reach out to you first with the bad news.
The core question is: How do the new GDPR regulations affect cloud computing in my world?
It’s really not that big of a deal, as long as you put the processes and people in place in order to be compliant. Like anything else compliance-related, it’s likely going to cost money and time, and it does add some risk.
The application of the GDPR regulations
However, cloud computing does add some complexity because we need to partner with our public cloud computing provider to ensure GDPR compliance. The good news is that most public cloud providers have had years to prepare and are ready to provide compliance processes and resources. The bad news is that issues are likely to arise as both sides get used to GDPR. It’s another regulation that businesses need to address and worry about.
Interested in exploring more on cloud?