Despite its widespread popularity, cloud storage presents inherent risk, especially when businesses use cloud providers that do not give customers the same amount of control over their data as they would with an on-premises data center.
Logically, the best choice for GDPR-compliant cloud storage is a provider that actively protects data privacy, as well as encrypts critical files and other personally identifiable information (PII).
GDPR ensures that organizations based in the European Union and any organization that does business with an EU member nation follow strict protocols to protect personal data. The regulation aims to prevent unauthorized access to personal data and ensures that companies and individuals know where their personal data is, how to access it, and how and when the data is used.
Additional attributes include fines and penalties for data breaches, documentation of activities to ensure data privacy and protection, establishment of a data protection officer (DPO) within GDPR-compliant entities, and regular reviews and audits of GDPR activities.
Determine if cloud providers storing data are GDPR-compliant
GDPR compliance is mandatory if the provider has a business relationship with an EU-based organization. Ask the vendor for evidence of GDPR compliance.
Most major cloud vendors are GDPR-compliant since they likely have customers in EU member nations. If this is not the case, personal data owners must ask for consent from visitors to company websites and other resources that note personal data may be processed. Failure to do so may result in financial penalties for noncompliance with GDPR.
Access to secure email is an important way to validate that vendors are GDPR-compliant. Providers should also encrypt all data. Vendors that demonstrate they have no knowledge of a user's personal data are likely to be GDPR-compliant.
10 relevant GDPR directives applicable to cloud storage
GDPR requirements can be difficult to understand and apply. Organizations that store customer data or PII within cloud storage should know relevant GDPR rules and regulations to ensure compliance. Organizations can also look to regulations to ensure their data is compliant with GDPR, even if they store it with a cloud provider.
1. Processing of data
Organizations that process personal data, such as the cloud vendor, must do so "in a lawful, fair and transparent manner." To achieve this, organizations must do the following:
- There should be a legitimate reason to process the data.
- Data should only be processed for the specified purpose.
- Organizations that process user data must advise users of any activities that involve personal data.
2. Limitations of the reasons for processing data
An organization that processes data must only collect necessary data and not retain it once it is processed. They cannot process data for any reason other than the stated purpose or ask for additional data they do not need. They must ask if personal data can be deleted once it has served its original purpose.
3. Rights of data owners
Data owners and data controllers have the right to ask the cloud provider what data it has about them and what it has done with that data. They can ask for corrections to their data, initiate a complaint and request the transfer or deletion of personal data.
4. Right of consent
Data owners must provide documented permission when a data processor wants to perform an action on personal data beyond the original requirements.
5. Data breaches to personal data
The processing entity or cloud vendor must inform applicable regulators and personal data owners of a data breach within three days. The vendor must also maintain a log of data breach events.
6. Ensuring data privacy in new systems
Organizations that plan to switch cloud vendors must design features into the new system that ensure privacy, security and GDPR-compliant management of personal data.
7. Conducting an impact assessment to ensure data protection
Organizations that process personal data must perform a Data Protection Impact Assessment in advance of any new project or modifications to existing systems that may affect how they process personal data.
8. Transferring data inside and outside the organization
If a third party might process data, the organization that processes personal data -- the controller -- is responsible for the protection of personal data. This is also true if the controller transfers data within the organization.
9. Establishing a DPO role
The DPO's responsibility is to ensure personal data is processed safely and securely. They must also ensure compliance with GDPR. The data owner and data processors, such as cloud vendors, can establish this role.
10. Ensuring GDPR compliance through awareness and training
To ensure companywide support for GDPR, data owners and processing entities must make employees aware of the regulations and provide training so that employees know their responsibilities.
GDPR-compliant storage vendors
The following is a brief list of GDPR-compliant storage vendors, most of which have cloud storage resources:
- Amazon (Amazon S3, Amazon Drive)
- Google (Google Cloud Platform, Google Drive)
- Microsoft (Microsoft Azure, Microsoft OneDrive)
- Backblaze (B2 Cloud Storage)
Achieve and maintain compliance with GDPR
Protection of personal data is what GDPR is all about, and its regulations are specific about how to protect personal data. Organizations that wish to be GDPR-compliant should have an operational policy, procedures and protocols related to the storage and processing of personal data. They must also be able to document transactions that involve personal data to support the organization's GDPR compliance. Document these activities for audit purposes, and review and update them regularly.