How the EU legislation will impact data processing in the cloud

EU_flagLast week, the European Union agreed on proposed Data Protection Regulations that potentially impact all organizations that either use or process the personal data of EU citizens. There will now be further discussions before these become law, but for the first time these will be regulations, rather than policy; which mean that different EU member states will have little room for interpretation in how they are applied.

This has implications for IT service providers, SaaS providers or cloud providers, and for their customers. Under the current policy, third-party organizations who store data on behalf of others, have limited responsibilities as “processors” rather than “controllers” of data. But under the new proposals, individuals will be able to seek legal compensation against any organization they believe has misused their data and against any third-party that processed that data. In addition the EU may be able to fine those who breach the regulations, with a maximum possible fine of two percent of their global turnover.

In practice this will mean that the safeguarding of personal data will become even more important; and that organizations will have cover their diligence into investigation of the controls and processes deployed by any third party they trust to process data on their behalf. Businesses must now implement “privacy by design”; how this will work in practice is still being debated, but with increasing amounts of sensitive data being available online, companies will be expected to be more aware of and better able to implement privacy into their IT platforms and into any outsource relationships.

Larger processors of data will need to appoint a Data Protection Officer and they will need to evidence transparent processes that deal with:

  • Controls to mitigate risks
  • Data security breach and communication around such incidents
  • Impact and risk assessment around the use of personal data
  • Staff training and awareness
  • The deletion of personal data or “Right to be Forgotten”

data_protection

In turn this means that businesses engaging with service providers should determine that these

Appropriate tools to ensure the physical and sound security of their data; ranging from secure data centers with appropriate access controls, through to consistent controls like firewalls, web application firewalls, intrusion detection or file integrity monitoringpartners have:

  • Processes that control access to and management of data; for example secured logical access to networks or devices, or best practices around server image hardening and patching
  • Processes and tools that facilitate audit and investigation; for example the review and storage of device logging data; transparent monitoring and reporting; or the willingness to allow a 3rd party audit of systems and processes
  • Processes and tools for the identification and erasure of records, including secure destruction of storage and backup media
  • A demonstrable commitment to staff training and culture of data security.

On June 25, 2015, posted in: Blog, Cloud Services by

Tags: ,