Cloud and GDPR: The Business of Accountability
One of the highlights of 2018 was the way in which the issue of regulatory compliance was brought to the fore due to the GDPR. Earlier, we wrote an article about what GDPR is and how it will affect the way organizations big and small process data. Adapting to GDPR might seem overwhelming to many companies and if you’re one of them, there’s nothing to fear. In our interaction with clients, we’ve learnt that a basic understanding of what GDPR means to ‘your business’ goes a long way in helping implement GDPR.
The GDPR set out seven core principles which could be helpful for companies when they process personal data. These principles are quite similar to the EU’s 1988 Data Protection Act with the addition of an “accountability principle” which makes it clear that the GDPR means business. The seven principles are:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality (security)
The seven principles which are at the heart of GDPR are aimed at educating enterprises about the right way to process data. With public interest in mind, these principles push the envelope on a business’ responsibility to allow the public to have access to their data, make explicitly aware of how it’s being processed and to delete or change data that an individual may not want disclosed.
What does this mean for companies?
Companies need to be concise and clear on the outset about the collection and use of personal data. This means everything – ranging from data collected via forms on websites to any miscellaneous information collected and stored, like IP addresses, device tracking information etc. They also are required to spell out the reasons for collecting personal data, ensure that customers have access to the data that has been stored, validate the accuracy of this data and explain how such data is used by decision making algorithms.
It is now also imperative to seek explicit consent from respective individuals before using their data in any way. Automatic consent (pre-filled checkboxes), for example, aren’t allowed any more. Consent must be sought using unambiguous language. Also, remember that consent can be withdrawn by an individual at any time.
Separate consent is required for each type of activity you may intend to perform with their data. As an example, you will need separate consent for emailing them, calling them, and/or sending postal mail to a mailing address.
What about data in the cloud?
With migration to cloud storage becoming a norm lately, GDPR has laws in place to regulate the data on cloud too.
“The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption of personal data.”
Mandatory Breach Notification
GDPR also has strict rules about notification and even going public within 72 hours of a breach.
“Article 33(1) states that “In the event of a personal data breach, data controllers must notify the supervisory authority “competent under Article 55“….Notice must be provided “without undue delay and, where feasible, not later than 72 hours after having become aware of it.”
Note that when a data processor experiences a personal data breach, it must notify the controller but otherwise has no additional notification or reporting obligation under the GDPR.
Article 34(1) further states that “If the controller has determined that the personal data breach “is likely to result in a high risk to the rights and freedoms of individuals,” it must also communicate information regarding the personal data breach to the affected data subjects.”
This is very important. For companies this is equivalent to going public with the fact that you had a breach!
But, there’s an out. Even if you do suffer a breach, while you will still need to report it to the regulator, you may get relief from having to go public and notify all impacted subjects – provided – you’ve encrypted your data!!
Article 34(3) states that “The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:
(1) the controller has “implemented appropriate technical and organizational protection measures” that “render the data unintelligible to any person who is not authorized to access it, such as encryption”;
How is it similar or different from other regulations?
GDPR is the latest in a long line of regulations that have come in place over the last 35+years. The only thing that is a constant is that regulations are increasingly making organizations more and more accountable for the data they own – and that trend is unlikely to change, at least in our lifetimes.
For one thing, the GDPR tends to place citizen rights at a higher plane than the Executive Branch’s right to collect information on its citizens.
There is also a better attempt to define what is personal data. This may not be as straightforward as simply saying let me look for PII – like Social Security #s or Aadhaar #s or PAN #s and remove them. Any data that singly OR in conjunction with other data to identify an individual. So, you need to be mindful of seemingly disparate pieces of information about a person which individually won’t uniquely identify them – but when put together can uniquely identify a person.
GDPR has strict rules, as we discussed above, about breach notification and even going public within 72 hours of a breach.
Also, GDPR has teeth, more so than previous regulations. It can hurt organizations where it matters most – Penalties can be as high as 4% of annual revenues, not to mention the negative PR impact.
On the other hand, GDPR is also quite similar to other regulations in that it fundamentally asks for the same basic compliances:
- Know what you have
- Manage access to what you – and make sure it doesn’t fall in the wrong hands
- Protect / Save what you have – so you don’t lose it in case of a disaster
- Prove that you have processes that are doing the above on a regular basis
Overall, if an organization is already compliant with existing regulations like HIPAA, SOX etc., it will most likely not have too much trouble complying with GDPR. If not, it can be some work – but it is best to get started. It is never too late to start!