IMPACT OF GDPR ON CLOUD COMPUTING

Impact of GDPR on Cloud Computing

GDPR has impacted the cloud computing sector in the following ways: data retention in the cloud, any many

Published By - Debra Bruce

Growing usage of cloud computing

In today’s generation “Cloud computing” platforms and applications are growing up, as the businesses and organizations are adopting digital infrastructure. Cloud Computing elaborates the remote servers networks which usually accessed over the Internet and to help the user to store, manage, and process data. Nowadays, cloud computing has become a phenomenon in information technology sector and these services are generating billions of dollars every year as European companies are using an average of 608 cloud apps.

GDPR comes into the picture

But on May 25, 2018, the European Union introduced the “General Data Protection Regulation” whose main characteristic is to protect personal data and privacy of European Union state members. This implies not only how organizations secure and identify personal information in their systems, but as well as in cloud services, It also deals with how an organization is accommodating transparency in the data flow, detecting any relevant malfunction, reporting personal data breaches and handling privacy of their personnel It will apply to any enterprise or organization who has EU resident/citizen data, regardless of whether or not they’re from the European Union.

Challenges in Cloud Computing due to GDPR

1: Data Retention in the cloud: 

As per the GDPR norms, none of the organization can store the personal data for longer than needed for the defined purposes. Therefore they have to delete data after the retention period has expired; both from local as well as cloud server.

2: Data Breaching response and coordination:

 In an agreement with cloud provider, data breach notification and protocols must be included. The contract between both parties should notify the breach event to the enterprise without any undue delay. In future if the cloud provider suffered from any kind of data breach then at that point it should inform enterprise as soon as possible so that the enterprise can make call to manage the situation by their own or with the help of cloud provider or any other third party solution.

3: Processing Data Outside the European Economic Area: 

It could be possible that the data is stored in multiple locations and outside the area of the European Economic Area by the cloud provider. In this kind of situation, the controller (enterprise) can make a decision to white-list the country where they want the data to reside.

4: Data Ownership: 

In the contract with the cloud provider it should be spelt out that the ownership of the personal data of customer should be in his/her hand, but apart from this  if the data is stored in some other country its the responsibility of the organization.

5: Metadata Visibility: 

Cloud provider collects different types of metadata, so if an organization wants to enter into a service contract for cloud provider then they should also obtain the knowledge of metadata. There are different variants where an organization has to work closely such as; protection of metadata, ownership rights, rights to opt out of distribution and collection of Metadata.

How Top Cloud Service Providers handled GDPR?

Google Cloud

A year before the implementation of GDPR, Google wrote about its commitment to GDPR compliance across G Suite and all other Google cloud platforms. Google has always taken privacy and security as a prime concern and always tries to maintain transparency in between its cloud services and customers. They released their new updates on cloud services to meet the requirements of GDPR guidelines.

To minimize the risk of data leakage, Google tested their services via third-party audits and certifications (Certification Includes: ISO 27001 which is implemented for information security management systems and ISO 27017 which is for cloud security controls).

VMware Cloud on AWS

Amazon took its security and privacy to a next level with VMware Cloud on AWS which has been verified by Schellman & Company, LLC  just to meet the guidelines of GDPR. VMware applies security and privacy experts throughout the company including their information security group, legal and compliance teams, VMware Security Engineering Communications & Response group (vSECR), VMware Security Incident Response Team (vSIRT) and their Security Operations Center (SOC). These teams work together to build policies, programs and methods to identify any kind of threats.  VMware Security Incident Response Team (vSIRT) is responsible for handling any kind of data breach and forensics of the incident, across VMware.

Conclusion

From the date of the implementation of GDPR in EU, it has become a significant data protection safeguard for the citizen which offers both new challenges and a potential opportunity for the cloud providers all around the globe.

Most of the cloud providers are not yet prepared for it as there are multiple challenges a cloud provider could have to face for providing its services in EU but once they adjust themselves in the scenario they can run their programs easily. As the big names in the industry like Google and Amazon have already prepared their best policies to sustain with the GDPR norms so they could provide their services with protection.


You may also like to read:

Impact of Cloud Computing on Financial Services Industry

Why GDPR Matters In the Development of Business?