The EU General Data Protection Regulation (GDPR) replaces the existing UK Data Protection Act and comes into force on 25th May 2018. GDPR is a comprehensive Regulation which strengthens and harmonises the data protection rights for individuals throughout the European Union and harmonises existing regulatory controls across each of the component countries.
UKCloud has successfully completed an 18-month project to ensure that it is ready for the introduction of GDPR, and details of our preparations and ongoing commitments to the new Regulation can be found here.
The Information Commissioner’s Office (ICO) provides helpful information about understanding and implement GDPR’s requirements which can be found here. UKCloud has also produced a set of whitepapers and presentations which further explore the requirements of the Regulation from a cloud perspective.
Why is GDPR Required?
Currently, there are 28 Member States within the European Union, each with its own independent framework for the protection of personal data. GDPR makes data protection relevant to the current digital age, providing citizens with greater transparency and more comprehensive rights and controls over the processing of their personal data than they have currently.
GDPR significantly expands the definition of what constitutes personal data, which now additionally includes CCTV imagery, technical records (e.g. IP addresses), biometric and genetic data, cultural and social identifiers, amongst others.
At its heart, GDPR requires good data security. Responsible organisations such as UKCloud which are built upon solid information assurance principles are more likely to be compliant with GDPR, as most of the component requirements are already validated through schemes such as ISO27001 certification for information security, the existence of effective data processing monitoring activities and the technical testing of IT infrastructure to proactively identify vulnerabilities.
Strengthening the Rights of the Individual
Data privacy affects everybody regardless of their age, status or location. Under GDPR, clear explanations of personal data processing activities need to be provided in advance, for example within Privacy Notices. If individuals are required to provide consent for the processing of their personal data, this will be subject to meeting stronger criteria than before. Data subjects also have rights to request details of their personal data, to have incorrect or out-dated personal data corrected, to move their personal data to another data processing organisation, and to require their personal data to be deleted in certain circumstances, for example when it is no longer required and there is no other reason for it to be retained.
In 2017, UKCloud Health conducted a survey which identified that 72% of UK adults are concerned about the protection of their personal data and 82% believe that their permission should be obtained before organisations are permitted to store their data outside of the UK.
Demonstrating GDPR Compliance
All organisations which processes personal data of any sort will be required to fully comply with GDPR’s many requirements. Article 35 of GDPR requires “privacy by design and default”, and notes that a Data Protection Impact Assessment (DPIA) should be undertaken if there are any risks to the data subject from the processing activity. UKCloud has completed all its assessments, and validated that effective organisational, personnel and technical controls have been implemented to ensure that personal data is being securely managed, processed and stored.
Organisations should consider providing a GDPR training and awareness programme for their personnel, ensuring that they understand their personal data processing activities and the associated risks to personal data, and their need to co-operate with data protection related matters. UKCloud has undertaken progressive, mandatory training courses over the last 18-months, and all our colleagues have achieved the required level of GDPR competency.
GDPR updates the existing relationship between the Data Controller and Data Processor, and contractual agreements with customers, suppliers and personnel will need to be updated to reflect GDPR’s requirements. Understanding the respective roles and responsibilities of these roles provides clarity and defines co-operation: for example, when delivering data subject rights (Articles 15-21) a co-ordinated response within tight timeframes is essential.
Some organisations, including public authorities and those who undertake large-scale processing of personal data or the monitoring of data subjects, will be required under Article 37 to designate an experienced Data Protection Officer to provide comprehensive support and guidance to the organisation on GDPR matters, as well as being the point of contact for data subjects and the ICO (as the UK’s supervisory authority). UKCloud is considered a large-scale processor of personal data, and our GDPR preparations have progressed well under the guidance of our DPO.
Article 33 of GDPR places strict timescales (within 72 hours) on the identification and reporting of any security breach which affects personal data, and all organisations will need to implement and operate effective monitoring and alerting activities to ensure that timely notifications of such issues are available and promptly reported to the ICO (as Supervisory Authority) and also affected data subjects (under Article 34). UKCloud’s platforms and services are constantly monitored by a protective monitoring service, and our 24×7 NOC promptly reacts to any investigate any reported alerts.
The CISPE data protection code of conduct anticipates the General Data Protection Regulation (GDPR). It aligns with the strict requirements laid out in the GDPR framework to help cloud infrastructure providers comply and to help customers and end users to select cloud providers and trust their services. All UKCloud’s IaaS and PaaS services are certified under the code of conduct.
GDPR and Cloud Services
With the increasing use of cloud services, organisations should take special care to understand the precise nature of their use of such services. Whether that includes the provision of cloud services by a public-sector organisation to citizens (for example by a local authority or healthcare trust), or the occasional use of cloud utilities such as Dropbox or Google Drive by its personnel, a thorough assessment of the GDPR-compliance of each cloud supplier is essential.
Care should be taken to identify where cloud services are being delivered and supported from – which may not be immediately obvious. For example, many global cloud service providers are not headquartered within the European Union regardless of whether or not they have chosen to locate data centres in the EU. Special attention needs to be paid to their applicable data protection framework, their ability to comply with the requirements of GDPR and whether specific data subject consent to move their personal data off-shore will be required to be obtained. Working with UK-sovereign cloud service providers such as UKCloud removes these challenges.
Article 40 of GDPR introduces “Codes of Conduct”, which allows for the independent validation of an organisation’s preparedness for meeting the requirements of GDPR. UKCloud has successfully submitted all of its cloud services for certification under the CISPE (Cloud Infrastructure Services Provides in Europe) Code of Conduct, and this validation provides additional assurance of a cloud service provider’s compliance and capabilities to its cloud customers.
The Potential Cost of Getting It Wrong
Much press attention has been devoted to the significant financial penalties which accompany the introduction of GDPR. Whether arising from a data breach, a failure to deliver the rights of a data subject, or non-compliance with another part of the Regulation, the maximum penalty under is €20m, or 4% of annual, global turnover. Even for less serious contraventions, the maximum penalty is €10m, or 2% of annual, global turnover. And that doesn’t include any additional civil claims for compensation from data subjects who have been affected by the issue, now available to them under Article 82 of GDPR.
Time to Prepare
GDPR arrives on 25th May 2018. The time is now for every organisation to understand what is required, identify and assign implementation responsibilities to competent personnel, and closely manage the project to ensure completion in time. Becoming compliant is not optional and will help to protect the organisation from the financial consequences, negative publicity and ultimate business survival that falling foul of GDPR’s penalties will bring. Conversely, preparing early and demonstrating that an organisation can be trusted to securely manage personal data is an extremely positive message that will help to differentiate offerings and attract new customers.
Help and advice on GDPR is widely available, including from the Information Commissioner’s Office website. Within the context of cloud services, more detailed information is available within our whitepaper and blog. UKCloud’s customers and partners should contact their Account Manager if they would like to (a) reach out to our DPO or GDPR Specialists for more detailed information about UKCloud’s own preparedness or how we co-operate with our customer and partners, or (b) engage with one of our experienced Cloud Architects for assistance in selecting and implementing UKCloud services which will help to deliver GDPR requirements.