GDPR and your Cloud Storage Strategy

The EU’s General Data Protection Regulation (GDPR)  brings into force what is arguably one of the most wide ranging pieces of internet legislation.  As May 25^th 2018 rapidly approaches, there are still a lot of businesses who really are unsure if and how the new regulations will affect them. This is particularly true, when it comes to their cloud.  In all probability, if you use cloud technology and it involves external users, there is a good bet you will need to be compliant.  Even if you are not affected, most countries, for example Australia, are, or already have, aligned their own privacy laws with many of the GDPR clauses.  This is all best practice anyway.

In  Part one of our GDPR series, we spoke about the different areas you need to pay attention to when looking at your cloud’s compliance. Today, let’s take a closer look at an area that can potentially pose a big headache.

What does GDPR mean for your cloud storage strategies?

Here are some key tips to help you reach compliance with the data you are storing.

1.       Only store data that is necessary.  Understand what information it is that you need.  For instance, if you only need IP addresses to analyse visitor trends – then don’t collect additional information such as name and email address.  Make sure the App and Service providers you partner with are compliant.

2.       Ensure your third-party cloud providers adhere to GDPR.  Compliance is a team game.  Due diligence to protect data needs to be taken by your company and the providers you use.  Ensure their terms and conditions; and their agreements or contracts are up-to-date.

3.       Make sure that data can be easily erased.  The right to be forgotten is a component of the GDPR that may take a bit of work to comply with.  Removing a user’s data on request, needs to happen in a timely fashion and every instance of it needs to be removed.  Remember that back up from 4 years ago sitting on a cloud server goodness knows where?  It has to go.  Do you know where your data is and can you access it to remove it?  In a cloud environment, particularly in the case of multi- and hybrid clouds – it is common for data to move around from time to time.  You need to (or have your service provider) be able to put your finger on it, on demand.

4.       Take steps to secure data that is being stored.  GDPR does not state directly how you need to achieve this (Unlike other legislation such as HIPAA). It does make suggestions however on what might be deemed appropriate. It’s up to you to take the precautions you see fit. But at a minimum you should consider data encryption and data breach notification. At the end of the day you need to demonstrate you have taken due diligence – document, document, document… and then document some more.  Data security should, by default be in your cloud design – but it’s not uncommon for this to be inadequately documented.  If you were an early adopter of cloud, maybe it’s time to revisit your design. New technologies, practices and understandings gained from experience may mean your old cloud doesn’t fit the new world. 

Hybrid Cloud – control with flexibility.

While there has been a groundswell of people moving to public cloud in the past, there is no doubt that the introduction of the GDPR has put hybrid cloud solutions in the spotlight.  This is particularly the case where instinct may dictate that storage of data in a GDPR world would be better managed on-premises. A hybrid cloud solution can certainly help to mitigate the risks associated with data storage and access.

Organisations now need to take another look at the cloud strategy that will work best for them and how to design it to reduce risks and maximise value.

Your cloud design could have a very real impact on whether or not you are ready when GDPR goes live.

About Qirx in a Box

Qirx in a Box is a solution that helps businesses to train, design, develop and fully document their hybrid cloud environments, making it easy to build in the underlying principles of “privacy by design” and “security by design” that are a crucial part of the GDPR.  The documentation set that is easily built out using Qirx in a Box can help demonstrate due process in the event of a data breach.

For further information on the GDPR and how Qirx in a Box can help your organisation watch the following short video and contact us for more.