How to Meet GDPR Compliance in the Cloud
Jun 24, 2019
What’s the General Data Protection Regulation, known as GDPR, have to do with the cloud? The answer: a lot.
Personal data — any data that can identify a person — is increasingly making its way into the cloud. For example, organizations are using IoT-connected devices, AI, and RFID technologies to collect, use, and integrate personal information into products and are storing and processing that data in the cloud.
GDPR provides updated legislation throughout the EU to protect that personal data. It covers many of the previously unforeseen ways that personal data is gathered and used, which includes the cloud.
It simplifies the regulatory environment for international business by unifying the regulation within the EU. The provisions are consistent across all EU member states, which means companies have just one standard to meet within the EU. It also includes tough fines for non-compliance and breaches.
Who’s Subject to GDPR Compliance
The GDPR requirements aren’t just for EU companies. They apply to any organization doing business in the EU or that processes personal data originating in the EU. The data can be about residents or visitors. Because the data may be processed outside the EU, many U.S. companies are subject to the GDPR regardless of their base of operations.
In addition, the GDPR applies if a company maintains a website that uses cookies and can be accessed by EU citizens. The same holds true if it transfers data across borders. The GDPR places equal liability on the organization that owns the data and the outside organizations that help manage it. And even if an organization complies with the EU-U.S. Privacy Shield or other data privacy regulations in the European nation in which it does business, that won’t negate its GDPR compliance requirements.
The GDPR also defines compliance responsibility for data controllers and data processors. The data controller defines how the data is processed and why, and is responsible for making sure outside contractors comply. Data processors are the internal groups that maintain and process personal data records. Or, it could be a third-party company that performs all or part of those activities.
The GDPR holds both controllers and processors liable for non-compliance. That means both an organization and its partner organization, such as a cloud provider, would be subject to non-compliance penalties even if the partner is the one at fault. That’s why many companies using cloud services go with organizations like AWS. All AWS services comply with the GDPR. In addition to benefiting from all of the measures that AWS takes to maintain GDPR compliance and high-level security, organizations can deploy AWS services as a key part of their GDPR compliance plans.
What Your Organization Must Do to Be GDPR Compliant
If your organization is subject to GDPR compliance, the following are some of the things you’ll likely need to do:
• Determine what areas of your organization fall under the GDPR’s scope. Is your organization a data controller, processor, or both? The category it falls under will determine its compliance requirements under GDPR.
• Identify what data you have, what you do with it, where it’s being stored and/or processed, who has access to it, and where it’s being exported outside the organization. Audit your current compliance position against the GDPR’s requirements. You may need an outside organization with GDPR compliance expertise to help with this step.
• If there are any compliance gaps, determine what it will take to fix them. If you use an outside organization for the audit, it should be able to help you with this step as well. Then bring your existing policies, processes, procedures, and technical and security controls into line with the GDPR’s requirements. Again, this may require the assistance of an organization with GDPR compliance experience.
• Keep in mind that GDPR compliance is an ongoing project. Conduct periodic internal audits and regularly update your data protection processes.
Beyond Compliance
Meeting the GDPR requirements can be arduous and time-consuming. However, the investment will do more than help you meet the GDPR compliance requirements and avoid costly fines. It will help strengthen your overall IT security posture and distinguish your organization’s value proposition from that of its competitors.
That’s why working with an organization such as ClearScale can be invaluable. ClearScale understands GDPR compliance and has extensive experience as it relates to cloud environments — including the AWS Cloud.
As an AWS Premier Consulting Partner, we’re among the top AWS consulting partners globally that have extensive experience in deploying customer solutions on AWS, a strong bench of certified technical consultants, multiple AWS competencies, expertise in project management, and a healthy revenue-generating consulting business on AWS.
ClearScale can’t ensure your organization is GDPR-compliant, but we can work with you to implement the infrastructure and technical controls necessary to meet many of your company’s GDPR compliance and cloud security requirements. We’ve demonstrated success in building solutions for a wide range of organizations that store, process, transmit, and analyze personal data.
Learn more about what we can do for your company. Download our eBook Next Generation Cloud Security for Your AWS Environment.