GDPR compliance one year on: finding harmony with cloud computing
The General Data Protection Regulation (GDPR) came into force on 25 May 2018. We have previously written about how the regulation enhances existing data protection rules for all businesses handling personal data of EU citizens and extends responsibilities from data controllers to also cover data processors. One year on from its implementation, what has changed?
Impact of the new regulation
Prior to the GDPR coming into force, there was a flurry of activity by businesses keen to demonstrate preparations were being made, opt-in emails were (often unnecessarily) sent to subscribers and press releases issued. However, due in part to the complexity of the regulation, many companies were in the end unable to meet compliance requirements; the IAPP-EY Annual Governance Report 2018 indicates that around 50% of businesses (amongst those who responded to its survey) had been unable to achieve GDPR compliance by the deadline and, worse still, almost a fifth claimed that full compliance was impossible. The EU published an infographic in 2019 which shows a steady flow of complaints made under GDPR and data breach notifications which are required under the legislation - so clearly it is being invoked.
But even though many companies may still be failing to achieve full compliance one year on, what is clear is that GDPR is now firmly on the radar of those responsible for mitigating business risk. Organisations considering IT infrastructure requirements such as cloud computing facilities often raise the subject of GDPR compliance before making a decision. And they are also very keen to establish cybersecurity credentials of providers, with a view to staving off any data protection concerns.
In terms of fines, the UK has not yet applied a penalty exceeding the previous maximum limit of £500,000, before GDPR raised this to the greater of €20 million of 4% of global annual turnover. However, Elizabeth Denham, Information Commissioner, noted that the £500,000 fine which Facebook received in the wake of the Cambridge Analytica scandal - just before the GDPR came into force - would “inevitably have been significantly higher under the GDPR”. The first significant demonstration of the teeth which the GDPR has given to regulators came in January 2019 when Google was fined €50 million by French data regulator CNIL, for "lack of transparency, inadequate information and lack of valid consent regarding ads personalisation" - part of the decision was due to Google’s use of pre-ticked consent boxes, which highlights the importance of getting even the small details right.
GDPR and cloud computing
Managed service providers (MSPs) and cloud service providers (CSPs) are covered by the GDPR. This means that, although their clients are still responsible for ensuring compliance with data protection rules (as data controllers), MSPs and CSPs now share this responsibility (as data processors). Regulatory compliance in the cloud is therefore a joint effort; cloud computing providers should be willing to demonstrate an awareness of the key data protection principles and offer a robust control environment with optimal cybersecurity provision.
Here at Navisite, we regularly evaluate and audit our systems, services and personnel; maintaining certifications for security, compliance and cloud with over 1,400 certifications, so clients can rest assured that we are meeting the highest standards for processes, controls and procedures that help ensure safety and GDPR compliance in their cloud environment. To discuss any concerns regarding compliance with the GDPR and other regulation, get in touch.