The UK Data Protection Act 2018 (incorporating the requirements of the EU General Data Protection Regulation 2016/679 “GDPR”) replaced the previous Data Protection Act 1998 from 25th May 2018. This new legislative framework represents a significantly more comprehensive approach to the protection of personal data, harmonising the data protection rights for individuals throughout the European Union and aligning existing regulatory controls across each country.
For 18 months prior to its introduction, UKCloud undertook a comprehensive review of its compliance with the new Regulation, and successfully completed its preparations well ahead of its introduction – see here.
The Information Commissioner’s Office (ICO) has produced helpful information to help organisation’s understand and ensure their compliance with the UK Data Protection Act 2018 (GDPR) – see here. UKCloud has additionally produced a set of informative whitepapers and presentations which further explore the requirements of the Regulation from a cloud perspective.
Currently, there are 28 Member States within the European Union. Previously, each of these operated their own legislative framework for the protection of personal data. GDPR has brought effective data protection into the current digital age, providing citizens with significantly greater transparency, and more comprehensive rights and controls over the processing and storage of their personal data than they had previously.
GDPR has also widened the scope of what is assessed to be personal data, which now additionally includes CCTV imagery, technical records (e.g. IP addresses), biometric and genetic data, and cultural and social identifiers.
At its heart, GDPR is founded upon a need for good data security. Responsible organisations such as UKCloud which are built upon solid information assurance principles are more likely to remain compliant with the UK Data Protection Act 2018 (GDPR). This is because most of the component requirements are already regularly validated through schemes such as our ISO27001/ISO27017/ISO27018 certifications for information security, the existence of effective data processing and monitoring activities, and the technical testing of our IT infrastructure and cloud services to proactively identify and respond to vulnerabilities.
Data privacy affects everybody regardless of their age, status or location. The UK Data Protection Act 2018 (GDPR) requires clear explanations of personal data processing activities to be provided in advance, for example within Privacy Notices. If individuals are required to provide consent for the processing of their personal data, this needs to address stronger criteria than before. Data subjects also have rights to request details of their personal data, to have incorrect or out-dated personal data corrected, to move their personal data to another data processing organisation, and to require their personal data to be deleted in certain circumstances, for example when it is no longer required and there is no other reason for it to be retained.
In 2017, UKCloud health conducted a survey which identified that 72% of UK adults are concerned about the protection of their personal data and 82% believe that their permission should be obtained before organisations are permitted to store their data outside of the UK.
All organisations which process personal data of any sort are legally required to comply with the UK Data Protection Act 2018 (GDPR) and its associated requirements. Article 35 of GDPR requires “privacy by design and default”, and notes that a Data Protection Impact Assessment (DPIA) should be undertaken if there are likely to be any risks to the data subject from the processing activity. UKCloud completed its assessments ahead of the changeover, and validated that effective organisational, personnel and technical controls are operating to ensure that personal data is being securely managed, processed and stored.
Organisations should be providing updated data protection training and awareness programmes for their personnel, ensuring that they have a full understanding of their personal data processing activities and the associated risks to personal data, as well as their need to co-operate with data protection related matters. UKCloud has undertaken progressive, mandatory training courses over the last 18-months, and we can confirm that all our colleagues have achieved the required level of GDPR knowledge and competency.
GDPR has updated the existing relationship between the Data Controller and Data Processor, and contractual agreements with customers, suppliers and personnel need to have been reviewed and updated to reflect GDPR’s requirements. Understanding the responsibilities of these roles provides clarity and defines co-operation: for example, when delivering data subject rights (Articles 15-21) a co-ordinated response within the specified tight timeframes is essential.
Some organisations, including public authorities and those who undertake large-scale processing of personal data or the monitoring of data subjects, are now required under Article 37 to designate an experienced Data Protection Officer to provide comprehensive support and guidance to the organisation on GDPR matters, as well as being the point of contact for data subjects and the ICO (as the UK’s supervisory authority). UKCloud is considered a large-scale processor of personal data, and our own GDPR preparations progressed well under the guidance of our Certified DPO.
Finally, Article 33 of GDPR has placed strict timescales (within 72 hours) on the identification and reporting of any security breach which affects personal data, and all organisations need to implement and operate effective monitoring and alerting activities to ensure that timely notifications of such issues are available and promptly reported to the ICO (as Supervisory Authority within the UK) and also affected data subjects (under Article 34). UKCloud’s platforms and services are constantly monitored by a protective monitoring service, and our 24×7 NOC promptly reacts to any investigate any reported alerts.
With the increasing adoption and use of cloud services, organisations need to properly understand and assess the precise nature of their use of such services. Whether that includes the provision of cloud services by a public-sector organisation to citizens – for example by a local authority or healthcare trust – or the occasional use of cloud utilities such as Dropbox or Google Drive by its personnel, a thorough assessment of the GDPR-compliance of each cloud supplier is essential.
Specific care should be taken to identify where cloud services are actually being delivered and supported from – which may not be immediately obvious. For example, many global cloud service providers are not headquartered within the European Union, regardless of whether or not they have chosen to locate their data centres in the EU. Special attention needs to be paid to their applicable data protection framework, their ability to comply with the requirements of GDPR and whether specific data subject consent to move their personal data to off-shore locations needs to be obtained. Working with UK-sovereign cloud service providers such as UKCloud removes these challenges.
Article 40 of GDPR introduces “Codes of Conduct”, which allows for the independent validation of an organisation’s preparedness for meeting the requirements of GDPR. The Cloud Infrastructure Service Providers of Europe (CISPE) organisation has developed a code of conduct and independent validation programme which assesses whether cloud infrastructure providers have fully complied with the requirements of GDPR. This validation approach helps cloud customers and their end users to make an informed decision about the suitability of cloud providers, and gain a level of trust in their services. All UKCloud’s infrastructure-based services have been successfully certified under the CISPE code of conduct.
Much press attention has been devoted to the significant financial penalties which have accompanied the introduction of GDPR. Whether arising from a data breach, a failure to deliver the rights of a data subject, or non-compliance with another part of the Regulation, the maximum penalty is €20m (approx. £17m), or 4% of global annual turnover if greater. Even for less serious contraventions, the maximum penalty is €10m, or 2% of annual, global turnover. And that doesn’t include any additional civil claims for compensation from individual data subjects who may have been affected by the issue – a right now afforded to them under Article 82 of GDPR.
The UK Data Protection Act 2018 (GDPR) came into force on 25th May 2018. Every organisation needs to fully understand what is required, identify and assign implementation responsibilities to competent personnel, and closely manage their compliance to ensure that they are protected from the financial consequences, negative publicity and ultimate business survival that falling foul of GDPR’s penalties will bring. Conversely, demonstrating that an organisation can be trusted to securely manage personal data is an extremely positive message that will help to differentiate offerings and attract new customers.
Help and advice on the UK Data Protection Act 2018 (and GDPR) is widely available, including from the Information Commissioner’s Office website. Within the context of cloud services, more detailed information is available within our blog. UKCloud’s customers and partners should contact their Account Manager if they would like (a) to reach out to our DPO or GDPR Specialists for more detailed information about UKCloud’s own compliance and how we co-operate with our customer and partners, or (b) to engage with one of our experienced Cloud Architects for assistance in selecting and implementing the right UKCloud services which will ensure data protection requirements can be achieved.