On May 25, 2018, the EU’s General Data Protection Regulation (GDPR) came into force. In December, the final adaptation of GDPR to Spanish law was approved. For many companies, complying with the regulation poses significant challenges. Having a cloud service in place can aid compliance of GDPR and the Organic Law on Data Protection and Guarantee of Digital Rights.
What is GDPR?
There are increasingly more companies that store, manage and work with personal data. Proper use of personal data and the protection of privacy have become central issues around the world. States have developed different protection policies and the EU’s General Data Protection Regulation (GDPR) has standardized them.
The European regulation on data protection establishes new responsibilities and obligations for companies as well as significant penalties for those that do not comply. One of the most prominent obligations is the so-called “data protection by design.” This means that every company that manages personal data must take action to guarantee, by default, that they are complying with the regulation.
The challenges of data protection for companies
Apart from some large companies that have compliance departments specialized in GDPR compliance, the data protection regulation presents significant challenges for most organizations. Storing data on the cloud and trusting a cloud computing provider may be the solution to these challenges.
- Guaranteeing the cybersecurity and storage of data in secure countries
- Keeping a transparent record of data processing activities
- Establishing protocols to communicate any security breach within a maximum timeframe of 72 hours
- Complying with the accountability principle, which refers to predicting possible risks and damages from the beginning
- Guaranteeing compliance of the right to be forgotten and the right to data portability
- Having the express consent of every data subject to process their data
A cloud service for GDPR compliance
GDPR compliance utilizes a significant amount of company resources. Many cannot afford the time or budget required to create a data protection strategy from scratch. The solution is on the cloud. It is important to point out that the data controller must always ensure that the service provider is adhering to the regulation. This is how cloud computing can help to achieve GDPR compliance.
- Security. A cloud service provider has up-to-date and secure technology. The data stored on the cloud are always protected.
- GDPR certification. Cloud service companies have staff who are experts in the compliance of storage regulations and data processing. Nevertheless, the client can request certification to ensure compliance with the European regulation.
- Transparent record. A cloud service, whether it has simple storage infrastructure or whether it is a platform or software, allows the client to obtain an updated and detailed record of data processing activities
- Ease of portability and erasure. With GDPR, the data subject can always ask for their data to be deleted from the file (the right to be forgotten) and obtain their data in a structured, commonly used and machine-readable format (the right to portability). Trusting a cloud storage service aids compliance of both rights in a simple and flexible way.
In conclusion, opting for data protection on the cloud involves trusting a company that has infrastructure, capacities and staff who are data experts. However, GDPR states that the responsible party is always the company that processes the data and not the service provider.