What’s the General Data Protection Regulation, known as GDPR, have to do with the cloud? The answer: a lot.
Personal data — any data that can identify a person — is increasingly making its way into the cloud. For example, organizations are using IoT - connected devices, AI and RFID technologies to collect, use and integrate personal information into products and are storing and processing that data in the cloud.
GDPR provides updated legislation throughout the EU to protect that personal data. It covers many of the previously unforeseen ways that personal data is gathered and used, which includes the cloud.
It’s meant to simplify the regulatory environment for international business by unifying the regulation within the EU. The provisions are consistent across all EU member states, which means companies have just one standard to meet within the EU. It also includes tough fines for non-compliance and breaches, with fines up to four percent of total global turnover if GDPR rules are breached.
Who’s Subject to GDPR
The GDPR requirements aren’t just for EU companies. They apply to any organization doing business in the EU or that processes personal data originating in the EU. The data can be about residents or visitors. Because the data may be processed outside the EU, many US companies are subject to the GDPR regardless of their base of operations.
The GDPR also defines compliance responsibility for data controllers and data processors. The data controller defines how the data is processed and why and is responsible for making sure outside contractors comply. Data processors are the internal groups that maintain and process personal data records. Or, it could be a third-party company that performs all or part of those activities.
The GDPR holds both controllers and processors liable for non-compliance. That means both an organization and its partner organization, such as a cloud provider, would be subject to non-compliance penalties even if the partner is the one at fault. That’s why many companies using cloud services go with organizations like AWS. All AWS services comply with the GDPR. In addition to benefiting from all of the measures that AWS takes to maintain GDPR compliance and high-level security, organizations can deploy AWS services as a key part of their GDPR compliance plans.
What Your Organization Must Do
If your organization is subject to GDPR compliance, the following are some of the things you’ll likely need to do:
• Determine what areas of your organization fall under the GDPR’s scope. Is your organization a data controller, processor or both? The category it falls under will determine its compliance requirements under GDPR.
• Identify what data you have, what you do with it, where it’s being stored and/or processed, who has access to it, and where it’s being exported outside the organization. Audit your current compliance position against the GDPR’s requirements. You may need an outside organization with GDPR compliance expertise help with this step.
• If there are any compliance gaps, determine what it will take to fix them. If you use an outside organization for the audit, it should be able to help you with this step as well. Then bring your existing policies, processes, procedures and technical and security controls into line with the GDPR’s requirements. Again, this may require the assistance of an organization with GDPR compliance experience.
• Keep in mind that GDPR compliance is an ongoing project. Conduct periodic internal audits and regularly update your data protection processes.
Meeting the GDPR requirements can be arduous and time-consuming. However, the investment will do more than help you meet the GDPR compliance requirements and avoid costly fines. It will help strengthen your overall IT security posture and distinguish your organization’s value proposition from that of its competitors.
That’s why working with an organization such as ClearScale can be invaluable. ClearScale understands GDPR compliance and has extensive experience as it relates to cloud environments — including the AWS cloud.
As an AWS Premier Consulting Partner, we’re among the top AWS consulting partners globally that have extensive experience in deploying customer solutions on AWS, a strong bench of certified technical consultants, multiple AWS competencies, expertise in project management, and a healthy revenue-generating consulting business on AWS.
ClearScale can’t ensure your organization is GDPR-compliant, but we can work with you to implement the infrastructure and technical controls necessary to meet many of your company’s GDPR requirements. We’ve demonstrated success in building solutions for a wide range of organizations that store, process, transmit, and analyze personal data.
Learn more about what we can do for your company.
Get in touch today to speak with a Cloud expert and discuss how we can help: