The General Data Protection Regulation (GDPR), aka EU Regulation 2016/679, unifies data protection for all residents of the European Union (EU) as of May 25, 2018. Additionally, GDPR also addresses the export and processing of personal data outside the EU, which is where cloud users are getting concerned around compliance.
So, what do you do to comply? The spirit of regulation is to protect the privacy of EU residents. While many people believe that this means their data must be kept in the EU country where the person resides, that fact of the matter is that the data can be stored anywhere in the world—as long as its collection and use comply with GDPR regulations.
If you’re looking to do business with EU residents, there are a few basic rules to follow. To support those rules, GDPR defines several roles, including data controller, data processor, and data protection officer (DPO):
- The data controller defines how personally identifiable information (PII) is processed and for what purpose. Again, this can take place inside or outside the EU, as long as the regulations are followed.
- Data processors maintain and process personal data records. GDPR holds processor liable for breaches. This is important when considering the use of cloud-based platforms, because it’s possible that both your company and cloud providers will be held liable for noncompliance. Even if an outsourced processor actually violated the regulations, both you and the cloud provider could be in trouble. Basically, you can be liable for the actions or inactions of the provider you hired.
- The DPO is a mandated role for any company storing and processing EU residents’ data. It’s the designated person to educate the company, ensure GDPR compliance, and be the contact point for regulators if there are concerns or violations.
If you do business with EU residents, which most Global 2000 companies do, you must understand these new regulations now. Indeed, if you’ve not started the process of retooling and reorganizing for GDPR, it’s perhaps too late.
As part of that effort, be sure to update the SLAs to include terms around compliance with GDPR. Again, both you and the cloud provider carry some risk here, and each can hurt the other if basic GDPR rules and processes are not followed.
I also suggest that you run internal compliance audits at least twice a year to better understand your ability to comply with GDPR. If you run afoul of these regulations, there are stiff financial penalties, whether you are based in the EU or not.
The cost of compliance could keep some smaller companies unable to serve EU residents—and they should be certain that they don’t do so. Everyone else needs to make sure that not only they but their providers are following the GDPR rules.