This website uses cookies for advertising and analytics purposes as described in our cookie policy. For more information and to set preferences, please click here. By continuing to browse this website, you accept our use of cookies.
GDPR Cloud Compliance
Cloud security and privacy in context of the GDPR
What is the General Data Protection Regulation (GDPR)?
Under European Union (EU) law, personal data can only be gathered legally under strict conditions and for a legitimate purpose. Persons or organizations that collect and manage personal information must protect it from misuse and must respect certain rights of the data owners, which are guaranteed by EU law. The previous Data Protection Directive (95/46/EC) had caused unacceptable variety among national data protection laws, thereby creating barriers in the internal EU digital market, and did not adequately address developments in information technology, such as cloud computing and social media. The GDPR was enacted to address the data collection that had exploded with cloud computing, often without EU citizens consenting to the collection of their personal data.
One of the central principles of the GDPR is its Accountability Principle: organizations must demonstrate that they comply with the GDPR and that they have taken appropriate measures to ensure compliance. Add the new ‘right to be forgotten’ and the new privacy principles of Data Protection by Design and Data Protection by Default, and one can conclude that managing compliance with the GDPR will be a challenge. Penalties for non-compliance can reach 20 million euro or 4% of annual turnover, whichever is greater.
Who does it apply to?
- EU governments and businesses regardless whether they process personal data of EU citizens or not.
- Non-EU businesses providing services to EU consumers or monitoring the behavior of EU citizens.
What data are protected?
- Personal data are any information relating to an individual. It can be anything from a name, a photo, an email address, a person’s bank details, medical information, work performance, tax number, education or competencies, etc. The GDPR applies when a person can be directly or indirectly identified by such data, or when a person can be uniquely singled out in a group of individuals.
What are the data subject’s rights?
- Right to view and understand processing of their personal information
- Right to restrict or object the processing of personal data
- Right to rectification of inaccurate personal data
- Right to erasure of personal data
- Right to receive their personal data
Requirements
Consent
The controller is required to have a sufficient legal basis for the processing of personal data. The data subject must grant explicit consent for their personal data to be controlled or processed. Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Lawfulness, fairness, and transparency
The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling. The processing of data must also meet the legal tests outlined in the GDPR regulation.
Purpose limitation
Personal data can only be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Data minimization
Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
Integrity and confidentiality
Appropriate security and privacy protections shall be instated to ensure the integrity and confidentiality of personal data. This shall entail data protection by design and by default.
Accuracy
Reasonable measures must be taken to ensure that all personal data are accurate and updated accordingly and that any inaccurate data is erased or rectified in a timely manner.
Storage limitations
Personal data shall be stored only for as long as necessary for the processing of the data. Only under certain circumstances shall the personal data be stored for longer periods.
Accountability
Organizations must demonstrate that they comply with the GDPR and that they have taken appropriate measures to ensure compliance. This principle underlies the importance of keeping detailed logs of all activity related to the processing of personal data.
Breach notification
In the event when a personal data breach has occurred, the controller is required to notify the breach to the supervisory authority no later than 72 hours after becoming aware of the breach. When the breach will likely result in a high risk to the rights and freedoms of a data subject, the controller shall report the breach to the data subject without delay. The Regulation outlines the information to report in addition to the notification of the breach.
A Preliminary Checklist for Compliance
Managing the Challenges of the Cloud under the EU GDPR – whitepaper
Written in conjunction with an EU privacy lawyer, this whitepaper describes the GDPR and its implications for organizations that use the cloud. Read this whitepaper to gain an in-depth perspective on the GDPR and cloud compliance.
Learn moreGDPR Resource Center
Learn how Netskope can help your organization with GDPR compliance in the cloud.
Learn moreWant to see Netskope in action?
Request a Demo