Author: Linda Strick, Director Cloud Security Alliance EMEA
The new General Data Protection Regulation (GDPR) is a game changer and applies to any organisations and public administrations that process personal data.
This means that the former distinction between public and non-public bodies has been removed, so that the GDPR applies to all companies processing personal data of EU residents, regardless of whether the processing takes place in the EU or not.
As a matter of fact, since the public sector is increasingly moving to cloud services for resource consolidation to significantly reduce the cost and effort for IT infrastructure and end-user support, the same requirements have to be fulfilled as in the private sector. Reaching compliance with the GDPR creates new risks and at the same time hinders cloud adoption in the public sector because of fewer experiences in this area.
Generally speaking, complying with the regulation includes to implement, among others, the right to be forgotten (“erasure”), the right to obtain all personal information, which data are collected where and since when, as well as the obligation to notify data breaches with high fines.
The implementation of GDPR compliance enforces privacy by design and by default, meaning that within the overall service life cycle exists the principle of minimising the amount of personal data collection is required for each phase. Thus, it is a technical challenge to fulfil those requirements.
With regard to cloud services the GDPR places many task burdens on cloud service providers (CSP) and cloud customers when changing the principles of privacy and data protection. Data controllers and data processors are accountable for implementing the appropriate level of protection concerning personal data they process.
So, both CSP and cloud customers share the responsibility for data processing in terms of liability of data processor and data controller. Thus, the CSP is responsible for implementing the technical measures for compliance, while the cloud customer needs to perform due diligence in terms of defining their own data protection and compliance requirements, for example. This responsibility also applies to the analysis and assessment of the risks by performing a data protection impact assessment (DPIA) (Art. 35 GDPR). The increased risk-based approach stipulates the controller must ensure that all effective measures are taken.
Beside the risk-based approach, the principles of accountability and transparency are the GDPR key factors which change the way personal data is handled.
For example, when collecting data from data subjects on behalf of a data processor, accountability obliges the data controller to be transparent so that regulatory compliance is achieved. Thus, the principle of transparency proves a clear understanding of how personal data is handled.
Both principles require a well-educated data stewardship to handle the personal data with care.
GDPR envisages a Code of Conduct (Art. 40 GDPR) and certifications (Art. 42 GDPR) as tools for demonstrating compliance. The Code of Conduct’s mechanism of adherence to self-assessment provides CSPs with a tool that evaluates the risks, and checks the implemented measures to mitigate the risks. As such, the CSP can achieve compliance for all levels of data protection for personal data offered.
The statement of adherence specifies that all technical, physical and organisational measures are in place to protect personal data. With this statement of adherence cloud customers have an instrument at hand which enables them to evaluate and compare the level of protection for personal data offered by CSPs. A certificate will be issued by qualified auditors and is a 3rd-party audit, as another mechanism of adherence. More details for the CSA CoC for GDPR compliance can be found in: gdpr.cloudsecurityalliance.org