Many Irish businesses rely on third party 'cloud' providers to store large quantities of data, which can be accessed by employees remotely.
The cloud offers flexible and affordable software, platforms, infrastructure, and storage to organisations, allowing them to reduce costs, increase flexibility, and improve IT capability.
Many industry experts believe that the use of cloud computing will become as ubiquitous as internet use in the next couple of years, but the implementation of the General Data Protection Regulation (GDPR) in May 2018 is going to be a challenge for both cloud computing providers and their customers.
The new legislation puts requirements on both clients and service providers in relation to customer data, with both responsible for compliance. Put simply, outsourcing to a third party does not limit your responsibility in any way if there is a data breach – and if you are storing data on behalf of someone else, you can also be liable if there is a breach.
While most cloud providers are already well advanced in there preparations for implementing GDPR compliant practices, if you are using a cloud provider, here are six things you need to be aware of and which your cloud provider should be able to clearly explain to you.
1. Know where your data is stored & processed – Many cloud computing services store data in multiple sites around the world to successfully back up your data. If the data is stored on multiple sites, how is it transferred securely? What are the security procedures?
2. Make sure that your provider is GDPR compliant – Most large cloud computing companies are aware of and already preparing for GDPR, but if you don't ensure that they are, you could be held responsible (and be subject to fines) if there is a serious data breach.
3. Does your cloud supplier have a Data Protection Officer/Office – If a company is storing large amounts of data for numerous clients they should not only have a Data Protection Officer but should also have a Data Protection Office.
4. Ensure that data stored for you is only accessible to you – this should go without saying, but data stored on your behalf should not be shared with any third party, and your cloud supplier should state this clearly in your agreement.
5. Only collect & store the data you need – up to this point many organisations have stored all data that they have on customers, or anyone who has 'opted in' to receive information from them, even where significant parts of that data was not necessary for the work or communication the company desired.
It's worthwhile considering do you need all of the data that you have? Would simplifying things by only holding onto data that you need be more straightforward? It would be particularly disheartening to receive a large fine for a data breach of information that was not in anyway relevant to your work.
6. Once you are finished with data stored on the cloud, it should be destroyed – once you have deleted data, the cloud provider should provide you with a guarantee that the data is not backed up elsewhere. If it is and that data gets into the wrong hands, you could be held responsible.