GDPR and the cloud. Don’t rain on my parade.
The introduction of GDPR will have an impact on the cloud as a technology platform. I had concerns with the cloud long before this change in regulation that will be upon is in May next year (see previous articles). Putting it simply, cloud is “putting your data on someone else’s computer” (quote from a T-shirt I saw and loved it). It is “outsourcing” your data, which for most business’s is their most valued asset. It could be compared with someone trading in gold bullion and giving the bars to a company to store for safe keeping. They went off, dumped in a warehouse somewhere in the world (if you are lucky they might tell you which continent) and then send you photographs from time to time to prove it still exists. You wouldn’t be able see or touch it, but be secure in the knowledge that someone else is taking care of it. With the cloud, you are trusting completely in a third party, with not only the data, but the platform it runs on. If either goes down, there’s not much you can do about it. I’m not saying that the cloud doesn’t have its benefits, but as a “data controller” you need to be clear about whether it is “fit for purpose” to your business model.
Cloud and the “right to be forgotten”
GDPR makes these issues a lot more complicated. Let’s take the example of the concept of the “right to forgotten” which has some interesting implications. First is dealing with “subject access requests”. If someone wants their details, that your organisation may hold on them, deleted then how can you make sure that you have complied, if you don’t even know where the data is? Most server farms, (Amazon, Google, Microsoft) are in the US, although they are now are building more within the EU. That has territorial concerns under the regulations but it would also make it difficult to guarantee that the data has been removed, and provide proof that it has been done so.
Cloud computing, by its very nature, mirrors instances (creates and instant exact copy) across different server farms across the globe. The advantage with this is that if a server goes down, (or the US gets nuked) they would switch across to the European servers to ensure business continuity. The problem again is guaranteeing that the information has been deleted across all versions, in all territories let alone the multitude of backups. Obviously, some sort of reality check will enter this discussion, as it may be good enough that the data is “inaccessible” and cannot be made available easily to others within and without the organisation. (link to article) but the whole platform does have its own complications. Putting it simply “how would you know”?
Next in the series “GDPR and the cloud, data processor agreements”.
About the Author
Malcolm Ford has 25 years business experience on 2 continents covering a wide variety of sectors from International law firms to manufacturing. For the past 8 years he has worked in data migration and analytics and is now bring his insights to assist business with their GDPR compliance.