With the internet landscape lacking clearly definable borders, it’s possible for international laws to have far-reaching consequences. One of the examples of this is a European privacy law, called the General Data Protection Regulation (GDPR). Is your business affected? If so, what does this mean for your company’s data storage?
What is GDPR?
The GDPR seeks to create a single law that deals with the protection of EU residents’ data. With the aim to safeguard privacy, it requires that organisations ensure their information is kept and stored in a way that promotes transparency, consent and rightful ownership of personal data. However, it doesn’t prevent data from being stored anywhere around the world.
While there are many aspects to the GDPR, it particularly affects cloud storage.
If your company does business with EU residents, then you’re required to abide by the GDPR. There are many rules around this, however, for this article we will focus on cloud compliance.
How to identify whether your business’s cloud storage is GDPR compliant
Should your business collect or hold EU resident data, you need to be able to trust the cloud providers that you use. Whether there’s only one, or your organisation engages many to fulfil different purposes, it’s necessary to ensure GDPR requirements are met in each partnership.
1. Data location
A cloud provider’s headquarters may not relate to where your data is actually stored. There’s even a chance that the data may not remain in one location or country. You need to know where your organisation’s data is being held and ensure that, if needed, you have a strategy in place for multi-country storage.
2. Security and risk management
Check that the security measures of your cloud providers measure up to requirements. GDPR has numerous regulations regarding data protection, and your cloud storage has to conform to them. For risk management, they should be instigating regular audits to check that their security protocols and data processing is up to standard.
3. Retain clear data ownership
Make sure you have a Data Processing Agreement (DPA) with your cloud storage partner. Ensure that the DPA clearly states that the Data Controller (your company) owns the data and that the Data Processor (or the cloud provider) will not share the held information with any third parties. A part of the DPA is enforcing that only necessary data is collected by the provider, not any type of ‘special’ data that’s irrelevant to the provider’s ability to function, and is more revealing (such as race, religion, etc).
4. Data deletion
When your partnership with the cloud provider comes to an end, you need to know you can download your own data, and then have every copy of it erased from their systems. Try and find a cloud provider that does this within a week, but make sure you know how long it will take them.
If you’d like to learn more about GDPR, and how to make sure that your digital transformation is protected from risk, reach out to FinXL today. We can help your business navigate through the changing digital landscape.