{"id":5309,"date":"2018-04-10T10:39:59","date_gmt":"2018-04-10T15:39:59","guid":{"rendered":"https:\/\/www.poweradmin.com\/blog\/?p=5309"},"modified":"2018-04-02T10:44:37","modified_gmt":"2018-04-02T15:44:37","slug":"making-sure-your-cloud-storage-is-gdpr-compliant","status":"publish","type":"post","link":"https:\/\/www.poweradmin.com\/blog\/making-sure-your-cloud-storage-is-gdpr-compliant\/","title":{"rendered":"Making Sure Your Cloud Storage Is GDPR-Compliant"},"content":{"rendered":"

\"\"<\/a>It\u2019s now just a couple of months until the European Union (EU) brings its General Data Protection Regulation (GDPR) into effect. As of May 25, 2018, this body of rules will bring the most wide-ranging and stringent set of internet privacy laws ever formulated into the forefront of global business.<\/span><\/p>\n

\u00a0<\/p>\n

Designed to safeguard the personal information of internet users resident or native to the EU, the GDPR sets out a comprehensive regime of compliance rules, guidelines, and penalties regarding how data from consumers, subscribers, and visitors to websites or online resources should be gathered, stored, handled, and shared.<\/span><\/p>\n

\u00a0<\/p>\n

Because it concerns digital information and the internet at large, the terms of the General Data Protection Regulation apply not only to websites and businesses operating within Europe, but to any organization having dealings with data from EU citizens or residents. This includes cloud-based resources and third-party service providers \u2013 so if you\u2019re dealing with any of these, this article should be a wake-up call for your business.<\/span><\/p>\n

GDPR In A Nutshell<\/span><\/h2>\n

The General Data Protection Regulation (GDPR) introduces a framework of rules, standards, and recommended practices aimed at protecting the privacy and improving the level of safeguards concerning the personal and online information of European Union (EU) citizens and residents.<\/span><\/p>\n

\u00a0<\/p>\n

GDPR seeks to empower individual EU citizens<\/a> and residents by increasing their rights to demand fuller disclosure on what personal information is collected from them, where it\u2019s kept, how it\u2019s used, and who has access to it. \u201cPersonal information\u201d in the GDPR context goes beyond the data entered into website subscription forms or text fields to include identifiers such as SIM card IDs, website cookies, and IP addresses.<\/span><\/p>\n

\u00a0<\/p>\n

Rights enshrined within the framework<\/a> include the right of access to consumer information held by the organizations they do business with, the right to have this information rectified if it\u2019s incorrect, and the right to have it deleted on request (the \u201cright to be forgotten\u201d).<\/span><\/p>\n

\u00a0<\/p>\n

GDPR lays out strict rules on all procedures relating to EU personal data, with the threat of substantial penalties if these conditions fail to be met. These range from regularly publicized audits (equivalent to \u201cnaming and shaming\u201d) and bans from trading within the EU, to fines of up to \u20ac20 million ($24.6 million) or 4% of a company\u2019s annual global turnover \u2013 whichever is the greater.<\/span><\/p>\n

\u00a0<\/p>\n

It builds on existing EU legislation, and sets out new parameters for information collection, storage, sharing, and handling by what it terms \u201cdata controllers\u201d (including the new breed of Data Protection Officers which organizations are required to appoint) and \u201cdata processors\u201d \u2013 among whom are cloud services and IT hosting providers.<\/span><\/p>\n

Concerning The Cloud<\/span><\/h2>\n

A 2017 Netskope Cloud Report suggests that the average European enterprise uses something like 608 distinct cloud applications. Figures for American and global businesses are on a level with this. But with commercial organizations relying on resources and cloud platforms like Salesforce, SuccessFactors, Dropbox, Expensify, Workday, and numerous others, these same organizations also don\u2019t know 90% of the apps people within their ranks are actually using.<\/span><\/p>\n

\u00a0<\/p>\n

According to a recent survey<\/a> by Commvault, only 12% of 177 global IT organizations polled understood how GDPR would affect their cloud services. This level of ignorance is just the first hurdle which needs to be overcome in a GDPR compliance regime that requires every cloud-based asset associated with an organization to be fully compliant, in itself.<\/span><\/p>\n

\u00a0<\/p>\n

The following recommendations set out a strategy for ensuring that your cloud storage, apps, and service providers will rhyme with or add to your GDPR compliance level, rather than taking away from it.<\/span><\/p>\n

Know Where Your Data Is Being Kept<\/span><\/h2>\n

Having identified all the cloud services being employed by members of your organization (both your IT-approved ones, and those that aren\u2019t), you\u2019ll need to delve further, to unearth the data-handling practices of each one.<\/span><\/p>\n

\u00a0<\/p>\n

For starters, compliance with GDPR<\/a> will be required from any cloud-based app or service provider which is Europe-based, or hosted from physical infrastructure in an EU nation. This applies to both the static storage and processing of data pertaining to EU citizens and residents.<\/span><\/p>\n

\u00a0<\/p>\n

In making this determination, you should bear in mind that cloud services may move your organization\u2019s information around between their various data centers \u2013 and if storage or processing occurs within EU borders, GDPR requirements will come into play.<\/span><\/p>\n

Get The Paperwork In Order<\/span><\/h2>\n

At the contract level, you should carefully review all agreements with cloud storage platforms, application hosts, and other service providers. If any of the services are not currently in compliance with GDPR, draft a fresh agreement and update their terms of service (assuming that they\u2019re willing) to bring the conditions into line.<\/span><\/p>\n

\u00a0<\/p>\n

Be prepared to terminate your contracts with any cloud providers that refuse to renegotiate terms. It may be possible to bring one or more existing contracts under the same (GDPR-compliant) umbrella, with a new provider.<\/span><\/p>\n

Fine-Tune Your Data Collection<\/span><\/h2>\n

The General Data Protection Regulation is very strict about ensuring that the previously intrusive data-collection methods used by websites, online services, mobile apps and the like are curtailed and brought under a new regime of discipline, where EU consumers no longer have to worry about large corporations or unknown third parties being privy to their most personal details.<\/span><\/p>\n

\u00a0<\/p>\n

In line with this, you\u2019ll need to make sure that the information being gathered or processed on your behalf by cloud services is limited to what\u2019s strictly necessary. For example, if you only need to know a website visitor\u2019s IP address, then that\u2019s the only information you should require them to provide.<\/span><\/p>\n

Get Specific With How Data Is Used<\/span><\/h2>\n

Following on from the previous point, in drafting the consent forms which request permissions for various data points to be gathered and used \u2013 and in designing analytical or other processes working with these data points \u2013 compliance with GDPR will be that much easier if you impose a strict discipline of your own.<\/span><\/p>\n

\u00a0<\/p>\n

With cloud applications and services, this means ensuring that data on individuals is collected and used for a specific purpose \u2013 and only for that reason. No follow-up emails pulling in third-party advertisers. No selling on to marketing networks, storing for \u201cresearch purposes\u201d, or other conditions that may allow information to fall into the wrong hands \u2013 and outside your compliance remit.<\/span><\/p>\n

Keep Only What\u2019s Necessary<\/span><\/h2>\n

With GDPR effectively guaranteeing European users access, erasure, or even editing rights to the information you gather from them \u2013 and setting specific conditions and time limits for disclosure and deletion \u2013 it\u2019s in your best interests to ensure that any personal data that your organization has in storage at a given time is both limited in scope, and able to be disposed of at a moment\u2019s notice.<\/span><\/p>\n

\u00a0<\/p>\n

This can be facilitated by negotiating agreements with your cloud providers allowing for the immediate disposal of information<\/a> that the provider holds, once your contract expires. Making sure that data held in storage is kept to a minimum also reduces the risk of exposure due to security breaches or hacking events.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

It\u2019s now just a couple of months until the European Union (EU) brings its General Data Protection Regulation (GDPR) into effect. As of May 25, 2018, this body of rules will bring the most wide-ranging and stringent set of internet privacy laws ever formulated into the forefront of global business. \u00a0 Designed to safeguard the […]<\/p>\n","protected":false},"author":10,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-5309","post","type-post","status-publish","format-standard","hentry","category-general-it"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/5309","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/comments?post=5309"}],"version-history":[{"count":3,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/5309\/revisions"}],"predecessor-version":[{"id":5313,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/5309\/revisions\/5313"}],"wp:attachment":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/media?parent=5309"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/categories?post=5309"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/tags?post=5309"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}