Following an 18-month project, UKCloud is today pleased to announce that it has fully completed its preparations for the forthcoming EU General Data Protection Regulation (GDPR), which comes into effect on 25th May 2018.
Key Validation Activities
We’ve always understood the security requirements and controls for personal data which is entrusted to UKCloud’s services, and we’ve taken the opportunity to re-validate our data asset discovery. All cloud services are already subject to formal risk management activities (including under ISO27017, see below), and we’ve also completed detailed Data Protection Impact Assessments as required by Article 35 of GDPR on every activity that processes personal data in some way.
At UKCloud, data security has always had the highest priority, and many of the new and strengthened requirements mandated by GDPR were already in place. We’ve maintained our ISO27001 certification for information security for many years now and have in more recent times added the supplementary focused control sets to achieve ISO27017 certification for cloud security and ISO27018 certification for the security of personal data in cloud environments. We mustn’t forget that we also maintain ISO20000 certification for IT Service Management, which is at the heart of our commitment to provide the best possible service to our public-sector customers.
Article 40 of GDPR promotes adherence to Codes of Conduct, which provide independent validation to data processor organisations that they are acting in accordance with GDPR’s requirements. UKCloud is pleased to confirm that it has successfully submitted all its cloud services as certified compliant with the CISPE Code of Conduct, which provides an additional layer of reassurance that our cloud services are secure, compliant and trusted environments to process and store personal data.
Aside from certifications and codes of conduct, the independent, detailed technical assessments of the security of UKCloud’s platforms and services significantly reduce the risk of personal data loss, breach or compromise. We continue to undertake regular IT Security Health Check (ITSHC) tests, which provide significant evidence to demonstrate that we comply with GDPR’s Article 25 for “data protection by design and default” e.g. by validating the secure design of our cloud platforms and services, confirming that access is locked down, ensuring the segregation of different cloud customers’ environments and that secure configuration and patch management activities are enforced.
We’ve benefited from having a formally certified Data Protection Officer in place (GDPR Article 37), ensuring that all our preparatory and ongoing tasks are both appropriate and effective to ensure full compliance with the Regulation and our obligations under it. The DPO has also overseen the comprehensive programme of colleague training sessions and briefings which have ensured that everyone at UKCloud understands GDPR and their role in ensuring we remain compliant with it.
Helping our Customers
Whilst UKCloud’s preparations have been completed, we’re continuing to help our customers and partners achieve their own GDPR readiness goals. This has been approached in three ways.
Firstly, our regular programme of GDPR education and awareness activities continue to be popular, with a combination of 1:1 briefings, regular webinars and formal events – all supported by informative collateral – helping to clarify the route to effective GDPR compliance and challenge any misconceptions. We’ve got many more such events planned both pre and post-GDPR, and we encourage our customers and partners to take the opportunity to participate and assess their own preparations and understand how UKCloud can assist.
Secondly, UKCloud’s Commercial Team have worked to produce updated contracts for our customers and partners which align with GDPR’s requirements. These, along with UKCloud’s helpful “GDPR Evidence Pack” clearly define the respective roles and responsibilities of the Data Controller and Data Processor and have assisted in providing clarity to many: this has been particularly important in areas such as delivering data subject rights (Articles 15-21) where a co-ordinated response within tight timeframes is required.
Finally, those familiar with GDPR will have noted the focus on protecting the processing of personal data (Article 32), which highlights technical measures including:
1(a) – the encryption of personal data
1(b) – the ability to ensure the confidentiality, integrity, availability and resilience of processing systems and services
1(c) – the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
1(d) – a process for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures for ensuring the security of the data processing
UKCloud provides a wide variety of services, solutions and features from which our customers can select and configure to deliver the above objectives. Building upon our previously noted evidence of risk management and technical validations our customers can, for example:
- Manage and control the levels of access and privilege that their own personnel and systems have by using the secure UKCloud Portal
- Monitor the levels of user and system access and activity using UKCloud’s 24×7 GPG13 platform protective monitoring service and their own virtual environment monitoring tools
- Be assured that our cloud platform and network links (and therefore customers’ applications) are protected from DDoS attacks by our use of specialist Neustar DDOS infrastructure
- Trust that their personal data will always remain in the UK: everything we do is based in the UK and there is no risk from overseas data protection frameworks or jurisdictions
All of the above, and much more (e.g. a dedicated Account Manager, free carbon offsetting) is delivered as standard. Some services, such as those below, will be determined by the risk appetite and disaster recovery conditions as applicable to each individual customer:
- Design and implement cloud services that meet their own resilience/availability requirements, by configuring workloads across our secure, Crown Campus UK data centres
- Use our Disaster Recovery to the Cloud service to ensure that their on-premise or third-party hosted services will continue to be available via our replication and recovery tools
These, and many others, are regularly discussed in planned webinars and briefings, and our customers and partners can reach out to UKCloud at any time for assistance from one of our experienced Cloud Architects or GDPR Specialists in understanding how such technical controls can assist them with addressing specific GDPR requirements.
So as our preparatory work concludes, there is much still to be done to remain compliant with GDPR, and we’re not resting on our laurels now that the preparatory phase is complete. GDPR requires a serious and ongoing commitment to ensure the protection of personal data, and at UKCloud, that’s a commitment that we willingly sign up to.
Find out more about UKCloud and GDPR here.
John Godwin is UKCloud’s Director of Compliance & Information Assurance. As a Certified Data Protection Officer, he is responsible for co-ordinating UKCloud’s preparations for the forthcoming EU General Data Protection Regulation and is a regular conference and event speaker on information security and data protection matters.