Is Cloud Software GDPR Compliant? A Guide for Marketers

Put in simple terms, the cloud is a network of servers designed to store huge amounts of data.

Companies can utilize this hardware to store their own data, which is accessible to them through the internet.

Popular examples include Dropbox, Google Cloud, and Amazon Web Services.

Broadly speaking, cloud software can be categorized into three types:

1. Public – an internet-based cloud service delivered to multiple organizations, either for free or with a pay-per-use subscription
2. Private – an in-house cloud service dedicated to a single company
3. Hybrid – a mixture of public and private cloud

They are often also broken down another way:

• Infrastructure-as-a-Service (IaaS) – a company pays to access a cloud provider’s computing and storage resources
• Software-as-a-Service (SaaS) – a company pays to access software on-demand over the internet
• Platform-as-a-Service (PaaS) – a service with a development and deployment environment that companies can use to build applications in a browser

Cloud storage can have huge advantages for enterprises at a contained price: it reduces data security and management costs, improves communication, and catalyzes better teamwork.

Businesses also benefit from enhanced security, less downtime from IT infrastructure issues, and excellent scalability as they grow. 

Taken together, cloud software provides companies the extra flexibility that can give them a crucial competitive advantage: 

• 84% report operational improvements within the first months of introduction (Multisoft)
• Small and medium enterprises find it 40% more cost-effective to employ third-party cloud platforms than maintaining an in-house alternative (Multisoft)
• 94% of businesses report substantial improvements to online security after migrating data to the cloud (Salesforce)

Crucially, 91% of companies believe that cloud storage platforms have been a great help with their compliance work for government requirements, like GDPR (Salesforce).

They have long been designed with security front and center, employing advanced encryption when transmitting data – meaning that no unauthorized user is able to access private information.

That said, GDPR has permanently changed how personal data can be stored and processed in the cloud and the EDPS – the EU privacy watchdog – is investigating whether Amazon’s AWS and Microsoft’s Azure cloud service are protecting citizen data effectively.

Cloud software GDPR compliant rules for providers are as follows:

• Develop principles for the processing of personal data
• Ensure the process for data processing respects the GDPR’s 8 data subject rights
• Establish requirements for privacy by design for anyone involved in data processing and controlling activities
• Implement controls over data ownership and data portability right
• Introduce security measure that ensure the privacy of data
• Establish principles for the processing of data to international parties
• Develop policies and procedure to manage data breaches
• Develop policies regarding the establishment of contractual agreements, data retention periods and other applicable requirements

Third party security issues are a major concern of GDPR, and these include when a third-party cloud platform is storing data on behalf of a client business.

GDPR distinguishes between “data controllers” and “data processors” when it comes to accountability for the security of personal information.

In this context, the business is the data controller, while the cloud software provider is the data processor – meaning that the business is therefore responsible for keeping personal data safe, regardless of whether it’s stored on their own servers or not.

Before migrating to the cloud, it is advisable for companies to ensure that their personal data flow is properly mapped out and to carry out a privacy impact assessment. 

Central to this will be the following considerations:

• Data sovereignty
  GDPR regulations stipulate that data must be stored in the European Union.
  Luckily, there are many cloud service providers that let you choose where data is stored, so you can select one that uses data centers in Europe.
   
• Data security
  Check what security the cloud storage platform has in place, and choose one that offers end-to-end encryption.
  Ultimately, you need to be satisfied that the provider has adequate security procedures in place.
   
• Respect for data subjects
  Choose a cloud provider that adheres to the eight privacy rights of EU data subjects – this information should be readily provided by cloud companies.
   
• Data protection by design and by default
  Ensure that the cloud company has integrated security into their design and procedures – for instance by using zero-knowledge encryption that restricts access to sensitive information.
  This is key given that any data breaches will ultimately be the responsibility of your company.

Once a company has migrated data to the cloud, it’s wise to carry out regular audits to ensure that operational procedures and processes continue to comply with GDPR.

It is also advisable to regularly check that the cloud platform continues to comply with any security assurances given. 

This work is normally carried out by independent third-party watchdogs or review sites, which should be verified before making any decision about which option to go for.