The EU data protection reforms and cloud storage

Among the changes in planned EU data protection reforms are compulsory notification of data breaches and the right for individuals to delete data or move it to another provider.

In January the European Commission announced that the EU’s existing regime of data protection directives that guide national laws such as the UK’s Data Protection Act will be replaced with common EU data protection regulations across all member states by 2014.

The effect of the EU data protection reform includes some far-reaching proposals that will directly affect organisations that hold data on individuals, including the burgeoning cloud storage sector.

In this podcast, Bureau Chief Antony Adshead talks with CEO of Vigitrust, Mathieu Gorge, about the changes coming with EU data protection reform and their likely effect on cloud storage. Read the transcript or listen to the podcast.

Play now:
Download for later:

The EU data protection reforms and cloud storage

  • Internet Explorer: Right Click > Save Target As
  • Firefox: Right Click > Save Link As What are the forthcoming changes in the EU data protection regime?

Gorge: The first thing to note is that we are moving away from data protection [as a] directive in the EU to a data protection regulation. So, in the past organisations had to follow national data protection acts … and those were based on data protection directives issued by the EU.

It was a directive rather than a regulation. We are now moving to a single regulation for the EU. That means it’s going to be harmonised at a European level, and it is obviously going to make it easier for organisations to comply with data protection if they are in several countries within the EU.

But it’s also going to bring challenges in terms of how fast the regulation is going to be implemented by member states, bearing in mind some specific challenges in terms of legal implementation, especially in countries like France, Germany and Spain.

It’s also important to understand that the responsibilities of data controllers [are] going to be increased. They’ll have to have policies and procedures and will definitely have to demonstrate they have [carried out staff] training.

They may also need to do data processing impact assessments if any data is likely to present a risk to the individual.

There’s also going to be [compulsory] data breach notifications within 24 hours of a breach as well as the requirement to nominate a data protection officer if you have more than 250 users.

From the cloud perspective, it is interesting to note the right to be forgotten and the data portability and data transfers changes, which mean that you are supposed, as a cloud provider, to be able to delete information about a person if they ask you to do so but also allow them to move … data from one provider to [another]. What are the implications for cloud storage of the forthcoming changes in the EU data protection regime?

Gorge: So, if you are using the cloud for storage, first of all you have to decide what type of cloud you are going to use, whether it’s going to be a public cloud, a private cloud or a hybrid cloud.

If it’s a private cloud, then from a data regulation perspective, you’ll be the processor and you’ll be the controller in most cases, so you’ll have full control over the data and can protect it appropriately.

If you are using a public or a hybrid cloud, you need to make sure that you fully understand the security measures that have been put in place by your cloud provider; now more than ever is the time to actually read the contract.

You need to make sure that your cloud provider actually has the appropriate level of security in terms of policies and procedures, … technical solutions [and] staff training to make sure the data they are storing on your behalf – which, by the way, could be data that you’re handling on behalf of a third party yourself -- is protected the right way.

You need to prepare for the potential request by one of your customers to move data away from you. It goes back to the idea of e-discovery; you need to make sure that you  know what data you are actually storing, for whom and who’s doing that on your behalf if you use a third party.

It’s very well documented for some security standards -- such as PCI, for instance, where Requirement 12.8 tells you how you need to assess the security levels for a third-party provider. But, generally speaking … you need to make sure that you have the right to audit your cloud provider, that you have the right to do a [penetration] test on your cloud provider and that your cloud provider is happy to provide you with copies of policies and procedures showing how they will allow you to comply with the regulation in terms of managing the data that they host on your behalf.

So it’s really about building that trust relationship with the provider and taking ownership of the management of the data so that you are in full control and you can comply with the new regulation.

Read more on Data protection regulations and compliance