Businesses around the world have been increasingly taking advantage of cloud services, from hosted telephony, through to unified communication platforms and simple storage. The distributed ‘anywhere’ nature of the cloud provides incredible flexibility for businesses and employees alike, and generally offers a cost benefit as well.
These global and distributed features that drive these benefits have the potential to fall foul of 2018s upcoming General Data Protection Regulation. This greatly increases the responsibility of businesses holding personal information, including extending their liability for that data’s security and placing limits on businesses transferring data internationally.
Data Controllers, Processors, and Responsibility
The GDPR defines two general groups who have responsibility for sensitive data: controllers and processors. Controllers are, in essence, the business which has collected the data. Processors are any entity to which a controller passes this data.
The GDPR greatly extends the responsibility of data controllers when it comes to any ‘personal’ information: data passed to a third party for analysis, for example, remains the responsibility of the data controller. A data breach suffered by a third party in possession of data you have collected will still be your responsibility.
This means that businesses using cloud services, whether XAAS platforms or simply cloud storage, are responsible for assessing and securing data both on the cloud platform and in transit between their own site and the cloud.
Cloud providers chosen by businesses will also need to comply with GDPR terms. It is the data controller’s responsibility to assess this, from the controller receiving written confirmation of the provider’s agreement to provide adequate security, through to the provider being able to fully comply with an individual’s right to erasure. The latter involves not only deleting the obvious copy of information, but any distributed or backup copies as well.
Global Cloud Services vs The GDPR
In addition to the awkward data security issues posed to cloud users, the GDPR also imposes regulation on the transfer of information. Specifically, that data can’t be transferred out of the EEA unless the receiving country guarantees a sufficiently high level of rights and freedoms.
In practice, this means that data controllers are not only responsible for their cloud provider’s security, but also to investigate where data centres and cloud nodes are located in order to ensure that they stay compliant.
While the GDPR does not spell the death of cloud services, it certainly makes the adoption of cloud-based services much more difficult for UK businesses. The level of due diligence required by a data controller to entrust their data to a cloud provider (essentially requiring a security audit or guarantee, deeper understandings of the provider’s infrastructure and agreements to be put in place to guarantee individual rights can be maintained), mean that the adoption of cloud-based services may fall significantly.
The other possibility is a rise of specifically compliant cloud services, who have taken special precautions to be GDPR compliant, with data centres only in approved locations. For the moment, however, cloud services need to be considered very carefully and existing services should be scrutinised before the GDPR takes effect.
Central London (WFH), £300 p/d. Initial 3-6mth contract. Expected to roll.
Central London (WFH), £70k
Central London (WFH), £80k + Bens
Central London (WFH), to £35k + Excellent Bens. (Freelance £250 p/d).
Central London, £45k + Excellent Bens - 6 mth FTC (expected to roll to Perm)
Central London, DOE