Compliance Compendium: Why GDPR compliance is difficult in the cloud

GDPR has now been in enforcement for nine months and while firms have been rushing around to ensure they are compliant, GDPR in the cloud has not seen much focus. Compliance Compendium chief business development officer Gareth Gadd explores how cloud operations need to change for GDPR.

The cloud has become an increasingly more prevalent piece of technology, with all types of companies using it to store their data and files.

However, Gadd stated that if a company is storing or processing information which enables the identification of an EU citizen, then GDPR is applicable. This personally identifiably information (PII) is stored on these cloud databases and a company does not know where these are or the regulation covering it, causing GDPR compliance issues.

Gadd added, “When storing PII the important thing to consider is the controller/processor relationship. If you are storing the data, and it is you that determines which information is stored, then you are the data owner or data controller. You are ultimately responsible for that data. The cloud service provider is the data processor and must protect that data both when it is in transit and when stored.

“Let’s be clear; banks, insurers, credit card companies, shops, therapy providers, charities, religious organisations etc. that collect PII are data owners. And it is their duty to comply with GDPR, not a cloud service provider.”

If a company uses cloud apps, which includes cloud storage, that are not compliant, they are at risk of fines by regional information commissioners. This will impact the trust levels of existing customers and a potential loss of some to competitors, Gadd said. As for charities, these could even lose essential donations.

Essentially, GDPR requires a company to know what data they hold, where it is and whom has access. Gadd outlined three ways where GDPR is impacting the cloud.

Firstly, a business needs to know what cloud-based apps they use and what information is being stored through it. Secondly, they must know where the cloud service is, and while some may believe it is ‘somewhere in the EU’, it might not actually be.

The final area is that a company must know if this information is being shared with others – “Outside the EU it is not illegal to share your data with third parties, e.g. for targeted marketing.”

He concluded, “If you are not sure then you need to be. You are the controller and you are responsible, and you will be the one that the ICO fines, not the cloud company.”

Enjoyed the story? 

Subscribe to our weekly RegTech newsletter and get the latest industry news & research

Copyright © 2018 RegTech Analyst


The following investor(s) were tagged in this article.