GDPR Cloud Compliance

Cloud security and privacy in context of the GDPR

Netskope

What is the General Data Protection Regulation (GDPR)?

Under European Union (EU) law, personal data can only be gathered legally under strict conditions and for a legitimate purpose. Persons or organizations that collect and manage personal information must protect it from misuse and must respect certain rights of the data owners, which are guaranteed by EU law. The previous Data Protection Directive (95/46/EC) had caused unacceptable variety among national data protection laws, thereby creating barriers in the internal EU digital market, and did not adequately address developments in information technology, such as cloud computing and social media. The GDPR was enacted to address the data collection that had exploded with cloud computing, often without EU citizens consenting to the collection of their personal data.

One of the central principles of the GDPR is its Accountability Principle: organizations must demonstrate that they comply with the GDPR and that they have taken appropriate measures to ensure compliance. Add the new ‘right to be forgotten’ and the new privacy principles of Data Protection by Design and Data Protection by Default, and one can conclude that managing compliance with the GDPR will be a challenge. Penalties for non-compliance can reach 20 million euro or 4% of annual turnover, whichever is greater.

Who does it apply to?

  • EU governments and businesses regardless whether they process personal data of EU citizens or not.
  • Non-EU businesses providing services to EU consumers or monitoring the behavior of EU citizens.

What data are protected?

  • Personal data are any information relating to an individual. It can be anything from a name, a photo, an email address, a person’s bank details, medical information, work performance, tax number, education or competencies, etc. The GDPR applies when a person can be directly or indirectly identified by such data, or when a person can be uniquely singled out in a group of individuals.

What are the data subject’s rights?

  • Right to view and understand processing of their personal information
  • Right to restrict or object the processing of personal data
  • Right to rectification of inaccurate personal data
  • Right to erasure of personal data
  • Right to receive their personal data

Requirements

Consent

The controller is required to have a sufficient legal basis for the processing of personal data. The data subject must grant explicit consent for their personal data to be controlled or processed. Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Lawfulness, fairness, and transparency

The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling. The processing of data must also meet the legal tests outlined in the GDPR regulation.

Purpose limitation

Personal data can only be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

Data minimization

Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

Integrity and confidentiality

Appropriate security and privacy protections shall be instated to ensure the integrity and confidentiality of personal data. This shall entail data protection by design and by default.

Accuracy

Reasonable measures must be taken to ensure that all personal data are accurate and updated accordingly and that any inaccurate data is erased or rectified in a timely manner.

Storage limitations

Personal data shall be stored only for as long as necessary for the processing of the data. Only under certain circumstances shall the personal data be stored for longer periods.

Accountability

Organizations must demonstrate that they comply with the GDPR and that they have taken appropriate measures to ensure compliance. This principle underlies the importance of keeping detailed logs of all activity related to the processing of personal data.

Breach notification

In the event when a personal data breach has occurred, the controller is required to notify the breach to the supervisory authority no later than 72 hours after becoming aware of the breach. When the breach will likely result in a high risk to the rights and freedoms of a data subject, the controller shall report the breach to the data subject without delay. The Regulation outlines the information to report in addition to the notification of the breach.

A Preliminary Checklist for Compliance

Data subject consent and rights

Ensure explicit consent from the data subject. Ensure the organization is able to exercise data subject rights, including the right to be forgotten, the right to erasure, etc.

Data location and transfer

Know where data is stored and where all partners and vendors store their data. Ensure that if the organization’s data will be transferred outside of the EU that proper procedures are in place to comply with GDPR.

Organization and training

Ensure sufficient organizational structure is established and appoint a Supervisory Authority in the EU if necessary. Train security personnel in your organization on the GDPR and the new rules and regulations.

Accountability and compliance

Establish procedures to monitor and log all data processing and storage to demonstrate compliance with GDPR.

Breach notification process

Establish procedures to report breaches in due time in the case of a breach and consider encryption.

Managing the Challenges of the Cloud under the EU GDPR – whitepaper

Written in conjunction with an EU privacy lawyer, this whitepaper describes the GDPR and its implications for organizations that use the cloud. Read this whitepaper to gain an in-depth perspective on the GDPR and cloud compliance.

Learn more

GDPR Resource Center

Learn how Netskope can help your organization with GDPR compliance in the cloud.

Learn more

Want to see Netskope in action?

Request a Demo