The Cloud in the era of GDPR or GDPR in the era of the Cloud?

cloud computing 2001090 960 720 2

The phenomenon of the digitization of information systems has been a necessary or even mandatory development. It is both a vector of competitiveness and modernity, but it should also be considered to be an area of risk. The use of the Cloud is a perfect illustration of this phenomenon, having taken a prominent and substantial place in the organization of companies.

Over the past two years, twice as much data has been stored in the Cloud as in enterprise data centers. But above all, 90% of current data has been stored over the past two years. This shows the considerable evolution of its use, but raises many questions about the security of the data stored there. The phenomenon illustrates a real loss of control of this information by computer systems.

Many individuals have seen their data security breached by attacks on the Cloud. For example, 57 million Uber customers had personal data stolen from the Cloud, and data relating to 2.5 million Yves Rocher customers including  names, email addresses, phone numbers, dates of birth and postcodes were offered for sale on the ‘Dark Web’. The persons identified by the data did not envisage that it could – or would – be accessed by third parties.

Personal data breaches have become so common that any individual’s personal data is bound to be hacked or mis-used.

What about Cloud compliance with the GDPR ?

In theory, if the data embedded in the Cloud is properly structured and controlled, no security vulnerabilities should emerge. However, this is far from being the case, given the number of breaches revealed in recent years. The CNIL (the “Commission nationale de l’informatique” which oversees French data privacy laws) carries out numerous checks to verify whether companies comply with the conditions of the GDPR.

The major difficulty in complying with the GDPR is being able to negotiate with Internet giants, who have direct access to users’ data.

Contractual negotiation at the heart of this compliance process it is not an easy exercise. Contractual negotiation may be possible with small companies, but seems impossible when faced with Internet giants. The most difficult clause to negotiate concerns the applicable law in the event of a dispute, which obviously presents a considerable challenge in respect of data protection. In conclusion, compliance with GDPR when working on the Cloud is a major challenge and is often almost impossible. Security problems surrounding personal data appear to be a real obstacle to commercial activities. Clearly, Internet users are increasingly aware of data breaches and are looking for Cloud services which protect their data.

However, when reading the GDPR, there is no specific provision for the Cloud. This is regrettable given the importance and evolution of the Cloud.

What about subcontracting, as defined in the GDPR ?

According to the GDPR and the CNIL, concerning the processing of data, a processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”. This can be the person or company hosting the data, or any person or company that would have access to the data at any given time.

However, since the introduction of the GDPR, the balance of responsibilities has become more balanced. Before its provisions and in accordance with the French law of 1978, about personal data, the liability of the controller company for operations was about 90% compared to 10% for the processor, the company in charge would now be 51% liable against 49% for the subcontractor. It is therefore appropriate for the processor to ensure compliance with the provisions of the GDPR as much as the controller company.

The GDPR therefore imposes an almost impossible compliance, as it appears complex and concerns a large number of actors, linked to each other.

In practice, how to comply with the GPDR provisions?

The question is not how to comply with it, as the exercise is so difficult, but how to get as close as possible to compliance. GDPR sets very strict minimum compliance requirements.

Perhaps, in order to keep data as secure as possible, we should not put everything on to the Cloud, although it does allow easier organization within companies.

IPzen is a centralized, intuitive and secure file managment solution that allows you to consolidate your files in one place and save time. This management tool supports you in protecting your data thanks to its simple and intuitive platform! Would you like to know more about it? Request your demonstration by email at: contact@ipzen.local