peshkova - Fotolia

A cloud compliance checklist for the GDPR age

The cloud is supposed to make things simpler, but when it comes to compliance, things can get complex. Here is a look at the essential elements of a cloud compliance strategy

This article can also be found in the Premium Editorial Download: Computer Weekly: Delving into viewer data at the BBC

UK businesses are among Europe’s leading adopters of cloud storage and computing.

According to Eurostat, the EU’s statistics agency, 41.9% of UK enterprises use the cloud – ahead of France, Germany, Italy and Spain – and UK enterprises are most likely to use cloud services for file storage, cloud-based email and office software.

As a result, businesses are almost certain to be storing sensitive and personal data in the cloud. Cloud compliance then becomes a key issue.

Since the EU’s General Data Protection Regulation (GDPR) came into force last year, organisations handling personal data have been inundated with information and advice on how to keep up with the new rules.

But GDPR – now enshrined in the Data Protection Act 2018 – is just one piece of legislation firms need to keep up with. CIOs might also need to consider the EU’s ePrivacy Directive, the Privacy and Electronic Communications Regulations, and the UK’s Digital Economy Act, 2017.

Industry rules, rather than laws, drive others, such as the PCI-DSS standard for card and electronic payments. But these rules still influence how organisations process data, and where they can store it.

Data in the cloud, rules on your desk

Moving data to the cloud does not change the legal basis for protecting information. The organisation that gathers data is still responsible for cloud compliance, even if the mechanics of how that is done is outsourced to the cloud provider.

In fact, using the cloud can add complexity to compliance, even if it simplifies the technology. With the cloud, an organisation might not know where data is stored – an issue known as data sovereignty.

This matters because the GDPR restricts the transfer of data outside the EU. And data transfers need consent. If an organisation uses the cloud and cannot track where data is held, it will struggle to stay on the right side of the law.

That is why IT teams should make sure that any cloud project is supported by a thorough approach to cloud compliance. This means carrying out an initial compliance audit, and making regular checks to ensure providers and internal processes are following the rules.

“The primary tasks include identifying where and how an organisation’s data is being stored and protected,” says Neil Thacker, CISO at Netskope, a cloud security specialist.

“Geolocation and data sovereignty are regular checks that organisations must undertake. Many organisations use their record of processing mandated by Article 30 of the GDPR, using it as a central inventory to ensure cloud compliance is maintained.”

Cloud compliance audits: pre-launch checks

IT teams should start by checking that their own internal processes and the proposed cloud solution meet compliance needs. This covers legal responsibilities, any industry-specific regulations, and internal rules for handling sensitive data.

According to Andrew Parker at IT consultancy Step5, these checks should cover the data the organisation plans to hold in the cloud, how data will be transferred to the cloud, and where – geographically – that data will be held.

“Many organisations have fallen foul by failing to understand their data footprint before starting the cloud journey,” says Parker. “This includes the GDPR, and the commercial sensitivity of the data, and the data classification.”

The audit process should start with an analysis, as thorough as possible, of the organsation’s data assets and data handling policies. This should include existing data security measures, as well as policies for data capture and processing, including consent.

Read more on cloud compliance

  • Cloud storage cuts capital spending and makes costs predictable but if you entrust your data to a third party, you must conduct compliance audits.
  • With compliance as a service, organisations can lean more heavily on their cloud providers to ensure adherence with certain regulations, but not without some risk.

Picking a cloud provider with a robust set of security measures will be of limited use if staff can still keep local copies of data or, worst still, transfer them to uncontrolled locations, such as consumer-oriented sharing services.

Also, putting data in the cloud will not protect a business if it does not have a legal basis for obtaining, storing and processing the data, and, if needed, for deleting it.

Consumers have key rights under the GDPR, including the right to be forgotten, the right to review their data (right of access), and the right to appeal against automated, data-based decisions. Organisations can meet these rights only if they know what data they hold, and why.

Improved security is, of course, a valid reason to move data or applications to the cloud, especially for smaller organisations with limited IT resources.

Cloud service providers increasingly promote that they meet GDPR, ISO27001, and other standards. But buying in services from a trusted supplier does not absolve an organisation from its own obligations.

“There are no panaceas,” says David Norfolk, analyst at Bloor Research. “You always have to think about security. The GDPR will penalise you for choosing the wrong public cloud provider, or not specifying the SLA [service-level agreement] properly, as well as penalising the cloud provider if the error results in a data breach.”

Fire and forget?

Cloud compliance is not a one-off project. For businesses to stay the right side of the law, they need to ensure that everyone – from employees to external providers – follows the rules, and that the rules are up to date. This is an ongoing process.

Data loss prevention tools, monitoring and logs will go a long way to ensuring compliance – but CIOs might need to go further.

For example, does the company have processes to remove access to cloud storage for employees who leave? Should access be controlled by geography, and are mobile devices set up so that they hold no data locally?

“Standards like GDPR define the requirements for protection data and information very well and should be strictly adhered to,” says Gerald Sternagl, storage business unit manager for Europe, Middle East and Africa (Emea) at technology supplier Red Hat. “Measuring and maintaining compliance against such standards is essential.”

Given the proliferation of cloud systems, automation can help here, says Sternagl.

Who guards the guards?

Fortunately for CIOs and cloud project leads, there are frameworks for security and quality compliance, such as ISO27001.

Cloud providers are also more willing to allow third-party audits than they were even five years ago, and the IT consulting industry has more experience of auditing cloud providers and their processes.

“Compliance certifications prevent legal headaches and build trust,” says W Curtis Preston, chief technologist at Druva, a data management-as-a-service company.

“A thoughtful and comprehensive security system can protect your data, your business and your customers.”

Netskope’s Thacker also points to ISO 27017 (controls-based) and ISO 27018 (code of practice-based) certifications, and the Cloud Security Alliance’s STAR standard.

But standards are only a starting point, of course. CIOs and data protection officers need to stay vigilant to ensure those standards are kept.

Read more on Data protection regulations and compliance

Data Center
Data Management