The General Data Protection Regulation (GDPR) is a regulation by which an EU authorities intend to strengthen and unify data protection for all individuals across the European Union. It addresses data protection within EU but also outside, when personal data is exported outside the EU. But what is a personal data which is a subject of GDPR’s protection? According to the GDPR’s definition, personal data means “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”
How does GDPR work?
GDPR comes to life on May 25th, 2018 and implements such terms as “Controllers” and “Processors.” First are to state how and why personal data is processed, while second is who actually handle personal data. What’s essential, GDPR applies even if controllers and processors are based outside the EU if only they collect or process personal data of EU residents. It’s controller’s responsibility to make sure that processor obeys the GDPR and processors have to maintain records of their processing activities.
GDPR also introduces two rights: right to access and right to be forgotten.
Right to access allows people to access any information a company holds on them, together with the information about why that data is being processed, for how long and who is allowed to see it. Personal data can be reviewed, verified and updated.
Right to be forgotten gives people right demand deletion all their personal data once it is no longer necessary, according to the purpose for which it has been collected. People can also withdraw their consent for their data to be collected and processed, what implies that such data has to be erased.
What else, data has to be stored in commonly used formats, to be quickly moved to another organization once requested by a person and it has to be done within a month.
Assuming that your company is EU based or controls either process personal data of EU residents, you should take a closer look at GDPR. However, there are other criteria yet. If your company is less than 250 employees, there are some exceptions for you. For instance, you are not required to maintain a record of processing activities under its responsibility, unless it’s not occasional or includes certain types of sensitive data.
Directive’s Article 32 delineates the GDPR’s security of processing standards. Under that article, processors and controllers are required to “ensure a level of security appropriate to the risk.” What is appropriate? It’s not well defined, but there are some suggestions what may be considered as “appropriate to the risk.” It includes:
- the pseudonymisation and encryption of personal data
- the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
- the ability to restore the availability and access to personal data promptly in the event of a physical or technical incident
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
GDPR also contains a definition of “personal data breach” which is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” In case of such data breach, the supervisory authorities must be notified within 72 hours. Under the Article 34, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. However, there are some exclusions. This communication is not required if any of the following conditions are met:
- the controller has implemented appropriate technical and organizational protection measures, and those rules were applied to the personal data affected by the personal data breach, in particular, those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
- the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize;
- It would involve a disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally efficient manner.
Another GDPR’s requirement is data protection by design and by default. This means that data protection is required to be designed into the development of business processes and services and the privacy settings must be set at high level by default.
As you can see, there are a lot of requirements to meet, and crème de la crème are sanctions that can be imposed for not following the GDPR. The maximum fine for infringement is “up to 20,000,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater”. Wow! A lot of money, right?
So, we’ve come briefly through the GDPR’s basics, and you shall be aware now, that you will be affected by GDPR for sure. If you process personal data on premises in your data center, all the responsibility is on you. You are controller and processor so it’s up to you how good will you prepare to the GDPR. If something goes wrong, you will find the only one to blame. However, if you process personal data in the public cloud, it’s not that easy. You can do your best, but you have to rely on a cloud provider, which is your data processor. If something goes wrong, you also will be the one to blame, even if a data breach is not your fault. What you can do is to carefully choose the cloud provider. But how do you know if the chosen one is compliant with the GDPR? Well, you need to check the provider’s documentation to find out what does it say about GDPR. But don’t worry, I’ve made a part of this hard work for you, so after this quite lengthy introduction to the GDPR, let’s try to find out what Amazon, Microsoft, and Google say about their compliance.
Amazon Web Services
AWS experts have been working with customers around the world to prepare for GDPR and ensure that everything that AWS does complies with the requirements of GDPR. Eventually, Amazon confirms that all AWS services will comply with the GDPR when it becomes enforceable in May of 2018. Also, a new Data Processing Agreement (GDPR DPA) which meets the requirements of GDPR is available to all customers to help to prepare for May 2018. What’s more, AWS announced its compliance with the CISPE Code of Conduct. CISPE is a coalition of cloud infrastructure providers who offer cloud services to customers in Europe. The CISPE Code of Conduct helps customers to assess how their cloud infrastructure providers comply with data protection obligations under GDPR. Codes of conduct are mentioned in the Article 40 of the Directive.
According to AWS’ declarations, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3), Amazon Relational Database Service (Amazon RDS), AWS Identity and Access Management (IAM), AWS CloudTrail, and Amazon Elastic Block Storage (Amazon EBS) are fully compliant with the CISPE Code.
Amazon offers specific features and services which help customers to meet requirements of the GDPR. These are:
- Access control
- Monitoring and Logging
- Strong Compliance Framework and Security Standards
AWS also put in place some privacy and data security policies, practices, and technologies. Customers manage access to their content, AWS services, and resources. Amazon does not access or use customer’s content for any purposes. Customer’s data can also be encrypted. AWS declares that customers choose a region for their data to be stored and no customer’s content is moved or replicated outside of that region without customer’s consent.
If you need more information about AWS and GDPR, Amazon has prepared the General Data Protection Regulation (GDPR) Center, where you can find all the information you need. You can visit it here: https://aws.amazon.com/compliance/gdpr-center/
Microsoft also commits that Microsoft Cloud will be fully compliant with GDPR, which is part of their holistic cloud compliance investments, on May of 2018.
To identify what data you have and to control access to it, Azure provides:
- Azure Active Directory to provide authorized access to data
- Azure Information Protection to classify, label and protect new and existing data
- Azure Security Center to provide visibility and control over the security of Azure resources
- Data Encryption in Azure Storage to secure data in transit and at rest
- Azure Key Vaults to safeguard cryptographic keys, certificates, and passwords
- Log Analytics for security auditing and logging
For more information about Microsoft and GDPR, visit https://www.microsoft.com/en-us/trustcenter/privacy/gdpr/get-started web page.
Google Cloud Platform
It’s not a surprise that Google commits to be GDPR compliant as well. According to Google, both, G Suite and Google Cloud Platform have implemented appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR.
Google provides a lot of information to consider when conducting an assessment of their services, including:
- Expert knowledge, reliability, and resources
- Data protection commitments
- Use of subprocessors
- Security of the services
- Data return & deletion
- Assistance to the controller
- International data transfers
- Standards & certifications
Google’s web page about GDPR seems to be much modest than Amazon’s and Microsoft’s ones, but you still can find some valuable information there. You can find that web page here: https://www.google.com/cloud/security/gdpr/
The world’s top three cloud services providers seem to be ready for the GDPR. They have to. European’s market is too big to leave it, and if they want to take a piece of that cake, they have to follow the rules. Especially that it is enough that their customers process a personal data of EU citizens, they need to be GDPR compliant or to lose a customer. Sanctions for not following the GDPR are too big to risk.
All of that means that you can keep calm and continue to use public clouds. At least those biggest. But keep in mind, that Amazon, Microsoft, and Google just give you the tools and commit that their part of responsibility will meet GDPR’s requirements. It’s up to you how you use those tools and if you will fulfill all that GDPR requires. You will still be a controller, and it will be you, who is responsible for your customers’ personal data. So good luck and be careful. 20,000,000 EUR is a huge amount of money.