What is it? How do we adhere? What do we have to do?
Those are just the beginning questions. If you’re like most businesses you also have a cloud footprint to consider. So, what do you have to do with the information stored in the cloud?
We know the questions and concerns you have around this new law and we’re here to help! We’re hosting a webinar November 16th to cover how you should interact with your cloud services provider to ensure that you’re in compliance with GDPR.
To efficiently manage the interactions with your provider and build your GDPR compliance, we recommend that your interactions are decomposed into three separate steps:
- Understanding what kind of data you are storing with the provider
- Establishing the contractual relationship between you and your provider
- Validating your provider’s adherence with GDPR
Decision makers that are responsible for acquiring cloud services for their organizations must be aware of, and understand, what kind of data that they are storing with their providers. If that data meets the definition of “personal data” of an EU citizen under GDPR, then that data will fall under the requirements of that regulation. Under Art. 4 of the GDPR, “personal data” is defined as any information relating to an identified natural person or any information that can be utilized, directly or indirectly, to identify a natural person. While it is obvious that this would include names, ID numbers, and locations, you may not be aware that this includes online identifiers and factors that that identify the physical, cultural, or even social identity of a natural person. Knowing whether personal data of this nature resides with, or could potentially reside with, your provider is significant since it affects whether GDPR would apply.
Establishing the contractual relationship between you and your provider
Once you determine that personal data of an EU citizen would potentially reside with your provider, and thus GDPR would apply, you must then establish the contractual relationship between you and the provider. You will need to designate the Controller and Processor roles and communicate the types of data and controls in place to protect that data to the Processor. Under Art. 4 of the GDPR, you would be the Controller, which is the entity responsibility for determining the purpose and means of processing the personal data. The provider would be the Processor, which is the entity which processes that data on behalf of you. Once those roles have been designated within the contract, the types of data and the controls that the Processor has in place to protect that data will have to be detailed. Because the language of Art. 5 Section 1(f) of the GDPR only indicates that the processing of personal data must be done in a manner that has “appropriate security” and that utilizes “appropriate technical or organisational measures,” you must set your own contractual controls in regards to what the provider must do in order to protect the personal data. These controls would be in the initial contract if you are working with a new provider, but, if you already have a contract with a provider in place and that contract does not account for GDPR, you will need to seek an addendum to that existing contract in order to ensure that both you and your provider comply.
Validating your provider’s adherence with GDPR
Before and after signing any contracts or addendums with a provider, you should be sure to perform due diligence on that provider in order to validate that they are complying with GDPR. Prior to signing the initial contract with the provider, you should ensure that that provider’s GDPR program applies to all products, services, and sub-vendors of that provider and not just a small subset of that group. Making sure that that is the case is important in order to avoid unpleasant surprises several months into the contract. Further, even once the all of the data and controls have been agreed to and the contract has been signed, you still need to continuously assess the provider by monitoring and auditing their program. Under Art. 28 of the GDPR, the processor must allow you, the controller, to audit its activities in order to ensure that the processor is being compliant with the both the regulation and the requirements set forth in its contract.
Understanding how to interact with your provider is a significant aspect of GDPR compliance. Performing the three steps discussed above will ensure that you’re interacting with your provider in a manner that is on track with GDPR compliance. Join our webinar, Meeting Your GDPR Data Requirements While Residing in the Cloud to learn more!