General Data Protection Regulation (GDPR) is the core of Europe’s digital privacy legislation. “The digital future of Europe can only be built on trust. With solid common standards for data protection, people can be sure they are in control of their personal information,” said Andrus Ansip, vice-president for the Digital Single Market, speaking when the reforms were agreed upon in December 2015.
GDPR applies to all companies which collect and process EU resident’s data. Non-EU companies would need to appoint a GDPR representative and be held liable for all fines and sanctions.
Critical Requirements of GDPR are:
- Lawful, fair, and transparent processing
- Limitation of purpose, data, and storage
Collect only necessary information and discard any personal information after processing is complete
- Data subject rights
A customer can ask what data an organization has on them and the intended use of the data.
Organizations must ask for the consent of the customer if personal data is processed beyond legitimate purposes. The customer can also remove consent anytime they wish.
- Personal data breaches
Based on the severity and regulatory, the customer must be informed within 72 hours of identifying the breach.
- Privacy by Design
Organizations should incorporate organizational and technical mechanisms to protect personal data in the design of new systems and processes
- Data Protection Impact Assessment
Data Protection Impact Assessment should be conducted when initiating a new project, change, or product.
- Data transfers
Organizations have to ensure personal data is protected and GDPR requirements are respected, even if a third party does it
- Data Protection Officer
When there is significant personal data processing in an organization, the organization should assign a Data Protection Officer.
- Awareness and training
Organizations must create awareness among employees about crucial GDPR requirements
To achieve GDPR on the cloud, we need to take these additional steps
- Organizations should know the location where the data is stored and processed by CSP
- Organizations should know which CSP and cloud apps meet their security standards. Organizations should take adequate security measures to protect personal data from loss, alteration, and unauthorized processing.
- Organizations should have a data processing agreement with CSP and cloud apps they shall be using.
- Organizations should only collect the necessary data that it would need and should limit the processing of personal data any further.
- Organizations should ensure that data processing agreement is respected, and personal data is not used for other purposes by CSP or cloud apps.
- Organizations should be able to erase data at will from all data sources in CSP.