Data protection across Europe is about to change and the reason is simple, the European Commission (EC) has not made any significant changes to data protection law since 1995. There have been tinkerings but the 1995 legislation was left to national governments to interpret and implement as they saw fit. Now the EC has decided that it is time for a comprehensive overhaul of the rules and to make them mandatory across all EU countries.
The Association for Information and Image Management (AIIM) has just issued a report entitled: Making sense of European Data Protection Regulations
as they relate to the storage and management of content in the Cloud. While this is a sponsored paper and anyone downloading from the AIIM site has to agree to their data being shared with the sponsors, it is a well written paper with some clear guidance that cloud providers can begin to act on.
As well a short overview of the GDPR it provides a useful look at the impact for organisations/businesses and some strong recommendations for data controllers and processors. At the end of the report is an set of Appendices covering the current legislation in 13 European countries as of today.
It is already a little out of date in that there is no mention of the UK Data Regulation and Investigatory Powers (DRIP) Act. This is the only obvious omission and there is plenty of information around it elsewhere, including the fact that legal challenges are being mounted to it
both in the UK and EU courts.
In terms of storing data in the cloud the report makes a number of key points. The most important of which is that responsibility for the data still lies with the cloud customer NOT the cloud provider when it comes to complying with data legislation. This is something that often gets overlooked, especially by smaller companies who tend to abdicate their responsibility when moving data to the cloud.
They believe that the cloud provider knows better than them what has to be done to protect data. In this, they are probably right but they must still do some due diligence around their cloud partner. They need to:
- Identify where the data will be hosted – somewhere in the EU is not always the right answer.
- How it is backed up – will the cloud provider do this or do you have to do this.
- What security is used – for example encryption of data in both transit and storage.
- Who has access to those encryption keys – many cloud providers retain the keys but that means they can be compelled to hand them over.
- Does your business insurance cover use of cloud storage – this is rarely checked by any business and in the case of a breach, could leave a company exposed to large losses that cannot be recovered.
As with many reports of this type, there is a focus on cloud security standards and this is becoming a contentious area. Just because a company has achieved a standard at a point in time does not mean that they are still compliant. It takes several audit failures before an organisation is stripped of standards accreditation and that means that customers could be working with an untrustworthy provider. The report correctly says “these standards are designed to be audited” but doesn’t go as far as to recommend asking to see the last audit.
Over the next two years, companies and cloud providers need to educate themselves, update their processes and ensure that they understand the implication of the GDPR. This document provides a good management level primer.