How EU legislation impacts data processing in the cloud

(c)iStock.com/Ramberg

Last week, the European Union agreed on proposed Data Protection Regulations that potentially impact all organisations that either use or process the personal data of EU citizens. There will now be further consultations before these become statute, but for the first time these will be regulations, rather than directives; which mean that individual EU member states will have little room for interpretation in how they are applied. 

This has implications for IT service providers, SaaS providers or cloud providers, and for their customers. Under the current directives, third-party organisations who store data on behalf of others, have limited responsibilities as “processors” rather than “controllers” of data. But under the new proposals, individuals will be able to seek legal redress against any organisation they believe has misused their data and against any third-party that processed that data. In addition the EU may be able to fine those who breach the regulations, with a maximum potential fine of two percent of global turnover.

In practice it will mean that the safeguarding of personal data will become even more important; and that organisations will have extend their diligence into investigation of the controls and processes deployed by any third party they trust to process data on their behalf. Businesses must now implement “privacy by design”; How this will work in practice is still being debated, but with increasing amounts of sensitive data being available online, companies will be expected to be more aware of and better able to implement privacy into their IT platforms and into any outsource relationships.

Larger processors of data will need to appoint a Data Protection Officer and they will need to evidence transparent processes that deal with:

  • Controls to mitigate risks
  • Data security breach and communication around such incidents
  • Impact and risk assessment around the use of personal data
  • Staff training and awareness
  • The deletion of personal data or “Right to be Forgotten”

In turn this means that businesses engaging with service providers should ascertain that these partners have:

  • Appropriate tools to ensure the physical and logical security of their data; ranging from secure data centres with appropriate access controls, through to logical controls like firewalls, web application firewalls, intrusion detection or file integrity monitoring
  • Processes that control access to and management of data; for example secured logical access to networks or devices, or best practices around server image hardening and patching
  • Processes and tools that facilitate audit and investigation; for example the review and storage of device logging data; transparent monitoring and reporting; or the willingness to allow a 3rd party audit of systems and processes
  • Processes and tools for the identification and erasure of records, including secure destruction of storage and backup media
  • A demonstrable commitment to staff training and culture of data security.