Get Your Business GDPR ready!

Featured article by Philip Piletic, aspiring writer and blogger

Lately, the trending debate topic in the computing industry has been the new EU law tackling storage and manipulation of personal data. General Data Protection Regulation (GDPR) will be applied starting from May 2018 and while legislators are still working on details, its main purpose is clear: establishing a singular conduct of personal data processing for all 28 member states of the European Union. This reform will affect not only businesses that offer cloud services but also companies that use these systems.

The Effects of GDPR on Cloud Service Providers

Cloud service companies, labeled as data processors, don’t have responsibility or control at the moment over the information they obtain, hold or operate with, their only duty being to follow the instructions of data controllers. The GDPR changes that, obliging any service providers working with personal information to follow the rules, which include, for example, data minimisation and proving valid consent from individual users.

Furthermore, the new law broadens the meaning of “personal data”, covering now details varying from IP to social, economic, cultural or medical information. The new regulation will be in the advantage of emerging cloud computing companies that will set foot on safe legal ground. However, for already established providers, adjustments will be costly and will rock their current workflows.

Processors will be able to ask for less personal information and will have to change the way they require it. New terms and conditions should be designed in accordance with the regulation, however, the big change will consist in transforming the systems for storing data, which are now based on backups. When GDPR comes with effect, every person will have the right to ask for complete personal data erase. Taking into consideration all these aspects, the new structures must keep track of personal data back-ups, store them for a definite amount of time and stop collaborating with third-parties, which is now a common practice.

How GDPR Impacts Businesses

Not only cloud service providers have to change their ways of working. Data controllers and any sort of company that touches in any way personal information are obliged to adopt a new set of safety procedures. Even companies outside the European Union have to comply if they work with personal data of European citizens.

Businesses and private or public organizations need to assign a data protection officer (DPO) which will evaluate the conformity with the existing regulation. Also, all businesses targeted by the law have to perform privacy impact assessments to reduce risks of eventual breaches. Besides monitoring for data violations, enterprises need to notify breaches in 72 hours after detecting them, which implies changing internal policies and procedures.

These new measures will increase spendings for businesses that use this type of services. In addition to that, cloud service providers are likely to raise their fees due to the new legal requirements, resulting in a general increase of cloud computing cost.On the other hand, companies that develop activities in more than one EU state will benefit from a unitary legal framework, which helps them to cut expenses in some departments.

GDPR and Individual Consumers

In the future, blockchain technology will probably allow decentralization of technology and people will be able to store and access their data safely and also have control over any other entities reaching their information. But for now, the GDPR is designed to protect individuals from any misuse or exploitation of data. Soon, processors and controllers will be able to claim just the absolutely necessary data needed to perform a certain service, they will have to ask clearly for consent to process the data and they will not be allowed anymore to share the information with third parties, which mostly consist of marketers.

Last, but not the least, consumers can now be in charge of their previously given information by empowering them to ask for permanent deletion.

According to a Eurostat statistic, cloud computing was used in 2016 just by 21% European companies and most of them only hosted email systems or stored electronic files, which signals prevailing insecurity about the safety of these services. At the moment, each country has its own different set of rules, the common basis being the “Article 29 Working Party”, a document that has an advisory status and acts independently. For cross-European businesses, these variations imply expensive and tedious processes to assure a proper legal framework when handling personal data. As from an individual’s user point of view, The European Commission states than 90% of Europeans want the same data protection rights across the EU and the world. More and more people buy, pay and communicate using web or mobile apps, so they want to feel protected when they introduce their information online.