What happens when legislation in one country affects what people do in other countries? The EU’s General Data Protection Regulation (GDPR) took effect May 25, but what does that mean for you and me if you don’t live in one of the EU countries? Cloud providers have been especially concerned about this since cloud services are intended to be available always, everywhere. Now, since a lot of journalistic fluff has been written about GDPR over the last year, I thought it might be good to tap into an expert to get a more reasoned and technical view of the impact GDPR will have on companies located outside of Europe. To do this I reached out to Alex Bordei, Director of Product and Development at Bigstep, a company that empowers organizations determined to make sense of their data by providing a full-stack Big Data ecosystem running in a high-performance bare metal cloud. Alex is a highly technical professional with over 10 years of experience in architecting and developing high performance distributed services for the cloud market. He has an MSc in Computer Science and has always been keen on research in advanced software technologies. Alex can be reached at [email protected] and you can follow him on Twitter at @BigStepInc. Below is a brief Q&A with Alex that should help clarify your thinking about how your company and the cloud services it provides or consumes may be impacted by GDPR.
Can you summarize in an easy-to-understand way what companies — whether they’re users of the cloud or cloud providers — will face with the EU’s GDPR requirements starting after May 25?
There are many levels of integration between companies and cloud services. But in all occasions, as some customer personal data might end up on a third-party’s hard drives, that will be a form of “processing” and that will make the cloud provider a “processor” on behalf of the respective company. Storage alone is considered “processing” even if the data is encrypted.
Nowadays, most companies use cloud services, such as Google Analytics, Office 365, Salesforce, or AWS. All of them are external, third-party “processors” of data but do not necessarily handle end user’s personal data. Under the GDPR, companies will need to be aware of these kinds of relationships and will need to track personal data as it flows between all these different vendors so that at any time they need to be ready to delete (“right to be forgotten”) or retrieve (“data portability”) all data pertaining to a particular customer (“data subject”).
Companies are now required to have a due diligence (“DPIA-Data Protection Impact Assessment”) process in place to verify the cloud provider’s security capabilities before sharing personal data with them. How this process looks is up to the company in question and depends on the actual data being processed. In case of a data breach, if the fault lies with the cloud provider, the company can be liable to those big fines if the due diligence process was not properly conducted when the contract with the cloud provider was signed. There is no “Compliant with GDPR” certification that cloud providers need to demonstrate but the provisions speak of a principle rather than a strict implementation requirement. Companies need to demonstrate a risk mitigation approach to data protection (“privacy by design”), meaning they need to actively think about what could happen to their customer’s personal data and try to address those risks.
Much of the language around how to comply with GDPR seems focused on roles companies may play in terms of access to, or management of, user data. Could you share information on how companies can determine how to comply based on an understanding of the role they play under GDPR?
Most companies out there that do not provide cloud services themselves are controllers in relation to their customers. If in doubt, this is what you are. This means that they control what happens with the data and as such, they need to demonstrably satisfy active endorsement of those principles such as “privacy by design” and “data portability” and the “right to be forgotten” stated above. To be GDPR compliant, one typically starts with a data catalogue, an Excel file where somebody from the company talks to all relevant departments: marketing, sales, operations, customer support, etc. and identifies and writes down what data is stored, why, where, and who has access to it and for how long it is stored on the company’s systems. From there you try to identify what is deemed personal data and then take each one of those instances and try to find ways to restrict access, secure, retrieve, and delete that data from those systems. Many times there will also be red flags regarding too much access to that data (example: customer emails available to everybody in the company). If you ask yourself, “Is this the best we can do to protect this data?” the answer will obviously be: “We probably need to restrict access to a need-to-know basis.” The technical implementation of these measures is secondary at this point. If the business group knows what it wants, the technical solution is more or less easy to determine. By the way: There is no tool out there to make you GDPR compliant. GDPR looks at processes rather than technologies so being compliant involves organizational changes,not only technical changes.
What obligations should data controllers expect their cloud providers to meet?
There is no strict list of requirements. It’s what satisfies the company doing the due diligence and relative to the data at hand. The risk here is to consider that the big cloud providers are safe just because they’re big. The size of the cloud provider is not a security guarantee and does not absolve the company from doing due diligence. For instance, you have a system running in Microsoft Azure. The fact that it’s Microsoft’s brand name in there does not protect you from hackers that exploit your web-facing application’s vulnerability nor does it provide you any guarantees that a rogue Microsoft employee might not find ways to go around your firewall.
The best thing is to think about possible risks (like the rogue employee stated above) and ask the cloud provider to provide details on how they mitigate that risk — and write the answers down. If satisfactory, then move on, if not, then look somewhere else. In the case of breach, you might be asked to demonstrate that you asked the questions and that the answers were OK. A word of caution on beta or alpha services: They are typically a lot less secure than their generally available (GA) counterparts.
As stated by the “privacy by design” principle, I would suggest you consider any cloud provider and your internal systems unsafe and try to not store plain text data in the first place. Actively encrypt, anonymize, pseudonymize, and generally build multiple layers of protection, not just a perimeter fence (a.k.a firewalls) around critical data.
Another question to ask your cloud provider is to give you the list of ISO certifications that they hold. ISO 27001 and ISO 27017 have some overlap to GDPR requirements but this is not a substitute to proper due diligence.
From privacy by design to the transfer of data over international borders, what other obligations are cloud providers required to meet?
Companies should always be aware of where in the world the servers used to provide the service consumed are. If it’s not immediately obvious, companies need to ask for clarification because GDPR states that personal data should not move across the EU boundaries without the customer’s consent and implicitly the company is liable if that happens. Cloud providers are also liable under GDPR to fines if they move the data with the controller’s knowledge. The problem is the cloud provider might not be aware that there is personal data in a ZIP file, for instance, so it might be backed up on servers on the U.S. This is why you need to ask your cloud provider not only where the servers are but also if there are back up or synchronization processes happening that might touch that data.
Since all companies will ask the same questions, I expect cloud providers to provide comprehensive documentation on the above so chances are the answer to those questions is already readily available online.
Why do you think GDPR will ultimately help users as well as companies to advance into the next technological age and use of data?
I think there is a growing climate of mistrust in the Internet itself, amplified by Cambridge Analytica or the huge data breaches happening recently. This could lead to a kind of technical hypochondria that could prevent some portion of end users from using the Internet and online services to their full potential. As a society, it could set us back decades and billions could be lost in terms of opportunity cost. We might lose the elderly or other disadvantaged categories from increasingly using these services and this will in turn further segregate our society. These things don’t happen overnight but doing nothing can cause widespread damage over time just like climate change.
GDPR is a step in the right direction because it forces managers to actually sit down and think about protecting the data of their users. Most companies out there truly want to protect their customer’s data. In the end, we’re all consumers of some company’s services or another. We just did not stop and think about how to protect them behind a kind of corporate “cannot happen to me” thinking. I think companies already have so much control over people’s lives, they need to become responsible for safeguarding them. They have an increasing responsibility not just to their shareholders but to society itself.
Featured image: Wikimedia / Strebe / Pixabay