How Does the GDPR Impact IT and Cloud Services?
In the previous blog, “What is the GDPR” we discussed the implications of this law on an organization handling data that is considered as “personal data” where some of that data may be considered as “sensitive data” (e.g., racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health; or data concerning sexual orientation). In this blog, we will focus on the implications on an IT organization that is affected by the GDPR, particularly when using Cloud Services.
While enforcement of the regulation is still over a year away, GDPR compliance will not be a light lift. Complying with the GDPR is a business-wide challenge that will take time, tools, processes and expertise, particularly around IT. The requirements include greater data access and deletion rules, risk assessment procedures, a Data Protection Officer role for larger organizations, data breach notification processes and much more.
To do all of this, organizations will need to make big changes, and potentially significant investments, in their privacy and data management practices covering both On-premises IT and Cloud Services. And, they need to begin now. As noted in the previous blog, failure to comply with the GDPR could prove costly – as companies that do not meet the requirements could face reputational harm and substantial fines.
The GDPR contains many requirements about the collection, storage, and use of personal information. This means not only how organizations identify and secure personal data in their systems, as well as in Cloud Services, but also how an organization: accommodates new transparency requirements, detects and reports personal data breaches, and how an organization trains privacy personnel and employees. Some of these IT-related implications, whether On-Premises or in the Cloud, include:
- Access to personal data – The GDPR gives individuals rights to a copy of their personal data, an explanation of the categories of data being processed (e.g., location data, browsing history, demographic data, voice data, biometric data), the purpose of the data processing, and any third parties that might receive that data.
- Correcting errors in personal data (rectification) – Individuals can require corrections to their personal data.
- Right to erasure – Individuals can require deletion of their personal data where it is no longer needed for the purpose for which it was initially collected or in the event consent is withdrawn. For enterprises, this means an individual’s data needs to be removed not just from production databases, but all backups, archives, and more.
- Objecting to the processing of personal data – In cases where data cannot be deleted because it is necessary for other legitimate purposes (such as a legal hold, protection of another’s rights, etc…) an individual can require that the data not be processed and that it is simply stored.
- Moving information (also known as Data Portability) – An individual should be able to get a copy of his or her personal data in a structured interoperable format to share with another data controller.
- Strict security requirements – The regulation requires organizations to protect personal data in order to “prevent any unlawful forms of processing, in particular any unauthorized disclosure, dissemination or access, or alteration of personal data.” This means data controllers and processors need to ensure:
- Sensitive personal data is encrypted/pseudonymized
- Processing systems and services maintain data confidentiality, integrity, and availability
- Deleted/lost personal data can be restored in a timely manner in the event of a physical or technical incident
- Security measures are routinely tested for competency
- Breach detection and prevention tools are in place
- Breach notification obligation – A new requirement not in the existing Data Protection Directive is that data controllers must notify supervisory authorities (generally, the applicable data protection authority) of data breaches without undue delay and in any event within 72 hours after discovery. Data subjects will also have to be notified without undue delay if the leaked data poses a high risk to their rights and freedoms.
- Appropriate consents for data processing – Consent for processing must also be freely given, specific, informed, and unambiguous.
- Confidentiality – Ensure those that process personal data are committed to confidentiality.
- Recordkeeping – Companies must maintain robust records on how they comply with the GDPR and their processing activities.
- Transparent and easily accessible policies—In keeping with the view that individuals should understand how their data is being used, the GDPR requires transparency to individuals regarding how their personal data is collected, used, and processed. This information should be easily accessible and in clear and plain language. It should explicitly describe the specific purposes for which personal data are processed and it should be provided at the time of collection.
- IT and Training – Companies will need to ensure their employees understand the GDPR and that their data policies are updated to ensure alignment with the GDPR and its broader “personal data” definition. Lastly, companies will need to enter contracts with data processors, such as Microsoft, to jointly commit to the data processing requirements of the GDPR.
As noted above, you may be a data “controller” defined by the GDPR as an organization that determines the purposes and means of the processing of personal data. Whereas a data “processor” is defined by the GDPR as an organization that processes personal data on behalf of the controller. If you are using Cloud Services in the creation, storage, processing, archiving or transfer, those Cloud Services (e.g., Azure SQL, Azure HDInsight, Dynamics 365, Office 365) may be considered as a processor.
In the next blog, we will look at what Microsoft is doing in relation to the GDPR and how their Cloud Services will potentially play a role in your GDPR compliance efforts.