This post was originally published on April 30, 2018 and updated January 1, 2020.
The rise of the digital economy has spiraled quickly over the last several years, creating an urgent need to account for the vast amounts of information and data being generated around the world. The upcoming General Data Protection Regulation (GDPR) – passed by the European Commission – aims to help control this sprawl by strengthening and unifying data protection for individuals within the European Union (EU), and by addressing the export of personal data outside the EU as well.
The GDPR introduces measures to give consumers better control of data collected by companies. This includes ensuring the security of personal data from a variety of sources, such as employees, customers and partners – focusing on everything from email addresses to medical information to usernames and IP addresses.
While many people mistakenly believe that their data must be kept in the EU country where they reside, that fact is that data can be stored anywhere—as long as its collection and use comply with GDPR regulations.
The May 2018 effective date of the GDPR is
around the corner now behind us, with all European and non-European businesses active in the European Economic Area (EEA) affected. This has led organizations around the world to invest time and resources to assess and ensure that they are compliant with GDPR.
GDPR and the Cloud
So what does the GDPR mean for cloud service providers (CSPs) in particular? Previously, data protection regulations applied to the person or organization that determines the purpose and means of processing personal data.
As “processors” rather than “controllers” of their customers’ personal data, CSPs hadn’t been held responsible for data breaches. However, this changes with GDRP. The GDRP extends the compliance responsibility to the “processor” of the data as well.
Data privacy challenges are made even more complex by the fact that with cloud computing, a data’s geographical location is not always easily determined. Within the EU, the physical location is a decisive factor to determine which privacy rules apply. However, in other jurisdictions, other regulations may apply.
Because data can be stored in multiple locations by CSPs, personal data might be stored outside the European Economic Area (EEA). Appropriate measures must therefore be taken if no adequacy decision has been made about the country where the data resides.
New organizations and tools have sprung up to help businesses deal with the complexity of complying with the GDPR. For example, to support transatlantic commerce, the U.S. Department of Commerce and the European Commission and Swiss Administration designed the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States. While companies can voluntarily join the Privacy Shield, once an eligible organization makes the public commitment to comply with the Framework requirements, the commitment will become enforceable under U.S. law.
The move to support GDPR requires cloud providers and enterprises to adapt internal processes and policies as well, involving a significant amount of effort and resources. Both companies and their cloud providers carry risk and all need to be in compliance to make certain the GDPR functions as intended.
CloudShare’s GDPR Compliance
To learn more about the GDPR and how it’s relevant to your organization, visit https://www.eugdpr.org.