GDPR specific challenges
 

Implementing retention effectively in the cloud. In general, under the GDPR personal data may not be stored longer then needed for the predefined purpose. Therefore, retention periods must be implemented and it must be able to delete data effectively when retention periods has expired: both for data locally stored and in the cloud. The difficulty here is that data can be stored on multiple locations, under multiple jurisdictions, by cloud service providers, and therefore there is the challenge to identify and manage multi-jurisdictional retention requirements. The deletion of data will also impose a challenge. To delete data completely, backups must be taken into consideration as well. Therefore, it is important to have a clear overview of how backups are secured and retention is managed by your cloud service providers.

Breaching response and coordination. Breach notification obligations and protocols must be included in data processing agreements with cloud providers. The contract must define a breach event and describe a procedure for the provider to notify your enterprise about any breaches without undue delay. Even if the cloud provider experiences a data breach that impacts multiple customers, the controller (you) should own external communications and manage the overall breach with their support. What controllers don’t want is a breach making headlines before their provider notifies them of the breach and before the controller is able to notify local authorities.

Processing of personal data outside the European Economic Area (EEA). Because data can be stored within multiple location by cloud service providers, it might be possible that personal data are stored outside the EEA. For this processing, appropriate safeguards must be taken if no adequacy decision have been made about the country where the data resides. Controllers will need to define a multi-country cloud strategy to adhere to adequacy requirements as well as data localization laws.

Data portability for the controller. Controllers must be able to facilitate the right of data portability for data subjects. If the data of the controller is in the cloud, it must be possible for the controller to retrieve the data in a structured, commonly used and machine-readable format to provide to the data subject or another controller. It is important to make agreements about this with cloud providers that are engaged by your enterprise. Providers will need to provide the technical capability to ensure controllers can satisfy this data subject right.

Data ownership. As a controller you must maintain control and ownership of your own data. Therefore this must be spelled out in contract. Next to this, you must confirm that, according to the host-countries’ laws, your company retains ownership of the transferred data.

Risk management. Cloud service providers must be subject of your third party risk management. To determine any risks that may arise when using a cloud service provider a Data Protection Impact Assessment (DPIA) and a security assessment can be performed. Next to this, the right to audit cloud providers must be incorporated in the agreements concluded with these providers. In order to perform a proper audit, a control framework with privacy and privacy by design control measures must be defined next to an appropriate audit plan.

Cloud architecture and privacy by design. As a controller, when engaging a cloud provider, you should understand the underlying technologies the cloud provider uses and the implication that these technologies could have on the security safeguards and protection of the personal data stored in the cloud. The architecture of a cloud provider’s system should be monitored to address any changes in technology and recommended updates to the system.

Visibility regarding metadata and Data Minimization. If you, as a controller, are interested in entering into a Service Contract for cloud services you should obtain information regarding the types of metadata collected by the Cloud Provider. Consider what level of protection is afforded to metadata, the respective ownership rights, rights to opt out of collection or distribution of metadata, and intended uses of metadata.

Security of Privacy. As a controller you are not in control over the cloud provider’s (IT) environment and you must rely upon (IT) controls that the provider has in place. Therefore, it is always necessary to assess to what extent the provider is able to comply with your IT Security requirements. This could be done via the third party risk management process. Next to this, you also must assess what kind of IT Security and privacy measures or certifications the provider has in place. Cloud providers can demonstrate compliance with security and Privacy by Design in several ways:


With the results of a performed DPIA;
By being ISO 27001 certified (information security management system);
By being ISO 27018 certified (code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors).