Since May 25, 2018, data protection in Europe is governed by the General Data Protection Regulation (GDPR – The full text can be found here). One of the key points of this new regulation is that it concerns any organization that offers its services and its goods to the citizens of Europe. Even a Cameroonian company that owns a commercial entity in France is forced to comply with the regulation.
The GDPR can be summed up, but cannot be limited to five main components:
Increased access rights to their personal data for the EU citizens. We find, among other things, the obligation of explicit and positive consent, as well as the “right to be forgotten.” Companies will, therefore, have to obtain the agreement of any person (opt-in) to collect personal data, as well as delete the data of a person who requests it.
Increased obligations for organizations to secure the data of its customers. One of the basic principles is the by default protection of private data, as soon as the system design. Thus, any information system that manages and stores these data must be “secure.”
An obligation of notification in case of intrusion and data leakage.
The appointment of a Data Protection Officer for all public and private organizations whose “core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale.” Basically, from the moment you store data from EU citizens for your activities, a person from the organization must be named DPO and act as the primary contact with the control authority.
Fines in the event of failure to comply. These fines can go up to 20 million euros or 4% of annual global turnover for a commercial company, the highest amount being considered.
Through the GDPR, Europe strengthens both the rights of its citizens, the access security to their data and the mechanisms for controlling such access. As the regulation indicates, from the moment an organization collects data from EU citizens, it must comply with the regulation.
Cloud and GDPR
What role can cloud technologies play in all of this? Greater speed of implementation of protection, security and auditing technologies. Indeed, most cloud service providers have already passed through the many security and data access certifications. For example, the standard ISO/IEC 27001 defines the information security management system. Most cloud service providers have their ISO/IEC 27001-certified services. If there is not a perfect match between all the articles and clauses of the GDPR and the ISO/IEC 27011, being certified in accordance with this standard is a big step in the compliance with the GDPR. De facto, if your information system is not ISO/IEC 27001 certified, you will probably need to go a long way.
Microsoft has put online a series of tests to assess your compliance level with RGPD. You can pass these tests here. You will also find a Compliance Manager That allows you to measure your degree of compliance with standards and regulations such as GDPR or ISO/IEC 27001:2013. This will not replace the need to have your information system audited, but may serve as a source of data for auditors and regulators. It is clear then that the use of cloud services generally allows to limit the actions necessary for compliance.
You will find more information on compliance and regulations in my book Private, Hybrid, and Public Clouds.