IAPP CIPT – GDPR for Cloud Service Providers (CSPs) Part 3

9. Codes of conduct, certifications and compliance

Hi, guys. So what are important steps to compliance? The GDPR clearly sets out the rights and obligations of sub processors and requires them to meet strong contractual requirements. There’s something that’s been missing from this conversation, though, and that’s how to handle cloud apps.

You know, like Salesforce, Conquer, Expensify, Workday, Success Factors, Box Dropbox, We Transfer, and more and more, the apps your business increasingly depends upon, and that an increasing number of people and lines of business are going out and procuring without any help or oversight from it. According to different cloud reports, the average European enterprise is using 680.

10. Important steps to compliance

Hi guys. Let’s discuss about choosing a hosting provider. GDPR marks a change in the balance of responsibility between data controller and data processor. Under the new regulations, data processors such as It hosting providers and cloud holsters will have more responsibility. To better protect the data, customers will need to start questioning their cloud providers of potential new surprise, more than about whether they are GDPR compliant and how they can demonstrate that they are GDPR compliant.

It’s also critical to understand where cloud providers are storing your data. They might have UK or European Union data centers, but does your contract prevent data being transferred between their data centers outside of the European Union? And are you aware when It’s being transferred? You can still host your It with providers outside of European Union, but you will need to ensure that these providers have safeguards and security measures in place that meets the GDPR standards in order to remain compliant if you’re handling European Union citizen data.

There are also questions over whether customers should host with non UK cloud providers due to Bruit. But the crucial point is more about whether your provider is adhering to GDPR standards and wherever your systems are being hosted. Many providers offer localization warranties, such as Amazon Web Services, which allows customers to choose whether data located in the European Union or specifically in the UK.

Despite this, customers often need more control over their data and has specific contract requirements that many the hyper scale cloud providers such as Amazon, Google or Microsoft can’t bend their contracts to meet. For example, I have worked with a partner that delivered a cloud service to another lands or to a Germany and Polish based customer who had originally tried to source their cloud solution from Amazon Web Services. However, AWS wasn’t able to personalize their contract to meet specific data protection requirements that were already enforced in Netherlands, in Germany, and in Poland.

11. Choosing a hosting provider

Hi guys. So what need businesses to do in order to have the correct choice? What you need to do is to ensure you’re making the right choice about your cloud provider in light of the GDPR and current data protection policies. Am I right? So what you should go for you should ask your provider whether they are GDPR compliant or have no measures in place to become compliant. Some cloud providers are signing up in advance to an industry code of conduct that aligns with GDPR standards. So it could be useful to review your suppliers position on these regulations. Then carry out a risk assessment to determine the level of risk you could pose to individuals should your data be compromised.

To understand if you need to take further measures to protect the data. If you are handling large amounts of personal information about individuals, then you may need to appoint a Data Protection Officer or a DPO. Companies involved in large scale monitoring, CCTV recording or profiling will certainly need to consider this and then be sure about where your data and applications are stored. And if you are working with a cloud provider, is that data ever moved out of the European Union or the European area? What does your contract say about data residency warranties? These are all things that you need to discuss with your provider and maybe maybe catch out in the contract.

12. What businesses need to do

Hi guys. So what need businesses to do in order to have the correct choice? What you need to do is to ensure you’re making the right choice about your cloud provider in light of the GDPR and current data protection policies. Am I right? So what you should go for you should ask your provider whether they are GDPR compliant or have no measures in place to become compliant. Some cloud providers are signing up in advance to an industry code of conduct that aligns with GDPR standards. So it could be useful to review your suppliers position on these regulations. Then carry out a risk assessment to determine the level of risk you could pose to individuals should your data be compromised.

To understand if you need to take further measures to protect the data. If you are handling large amounts of personal information about individuals, then you may need to appoint a Data Protection Officer or a DPO. Companies involved in large scale monitoring, CCTV recording or profiling will certainly need to consider this and then be sure about where your data and applications are stored. And if you are working with a cloud provider, is that data ever moved out of the European Union or the European area? What does your contract say about data residency warranties? These are all things that you need to discuss with your provider and maybe maybe catch out in the contract.

13. Software and CSPs to consider – part 1

Hi, guys. Once the myths and uncertainties around GDPR are addressed and the customer has a strategy for implementation, solution and process mapping become the next hurdles. Once again, providers have the opportunity to bring tools and services to the table to make GDPR compliance time and costeffective. The challenge is helping customers identify what data within their environment needs to be protected and, most important, how vendors should stress the fact that GDPR compliance requires both technology and process changes and that both elements are necessary to build a successful business case. As tempting as it may be for providers to lead with their technology as the solution to all GDPR problems, the most successful strategies will include equal parts between process and technology. Providers must help customer assess what privacy related data they have, where it resides, who owns it, and what policies must govern it.

Once these policies are understood, the right technology and solutions can be chosen and applied to ensure efficiency and successful implementation. To better illustrate the breath of technology and services vendors can deliver to aid GDPR compliance, I will present you some vendors I have worked with and that I think will be a good choice for every company. So here they are. Number one Actions actions provide solutions for enterprise communications compliance. The Actions platform is a comprehensive solution made up of the company’s three product offerings Alcatraz, Vantage, and Socialite. Together, these tools can enable an organization to address European Union GDPR articles 1517 and 25. Let’s start with the first one.

Alcatraz is a cloud based content archive that natively captures and preserves data from more than 80 different channels of communication for a centralized repository of enterprise communication. In context, the solution has capabilities to automate policies for data retention, provide fast and accurate search and data retrieval, set access controls as well as segregation of use, and provide comprehensive audit trails for regulatory reporting requirements that will have strict response time frames in place. Vantage enables the enterprise the ability to be more proactive in managing enterprise communication compliance. This solution enables the moderation of conversations and flagging of information that may violate industry regulation or company policies prior to those conversations being archived. Saving time on searching for data that later in surfacing issues as they arise socially extends policy controls and risk reporting to social networks that firms have authorized for use by employees to reach customers or partners. The enterprise can control the business use of social networks with the ability to moderate, restrict, or even block content and or unauthorized usage. Actions products were built with data privacy by design and default, and unlike many traditional software vendors, the software does not need to be overhauled or upgraded to meet those requirements. Alcatraz leverages true compliance, which is Actions method for capturing content in a forensically, sound and defensible manner. In addition, the data stored within the platform is encrypted both at rest and in motion, and the company has received certification like SSH 16, SoC Two or ISO 27,002. Once an organization has a GDPR strategy in place, Actions can enable it to implement greater data governance and compliance around enterprise communication. To help with the planning and development of a GDPR readiness strategy, Actions has partnered with IBM, which can provide services around data mapping and identification.

In context of the new regulations, this partnership ensures that implementations of Actions will be as successful as possible. Amazon Web Services is a public cloud service provider, and this is number two we are talking about. Under the new European GDPR regulation, it is considered a data processor, as it was before under the old European Data Protection Law. As last year, AWS has met the requirements necessary to be considered a GDPR compliant partner. The architecture of the IWS has been built with data protection and data security in mind and meets the goals of Article 25 of GDPR Data Protection and Privacy. By design and default, the company has already obtained internationally recognized certifications for compliance and security to demonstrate to customers like you its commitment to supporting them in their path to strong data privacy and security.

Certifications received include ISO 27,017 27,018, SoC One, SoC Two, PCI, DSS and even SoC Three, as well as several industry specific and regional accreditations. ISO 20 718 in particular, is a code of practice that focuses on protection of personal data in the cloud, but it also provides a set of additional controls and associated guidance intended to address public cloud, personally identifiable information, or PII protection that are addressed by existing ISO 27,002 in their control sets. Ultimately, it is the responsibility of the data business to understand what data it has, where it currently lives and where it should live, what value it brings to the organization, and what retention and deletion policies are appropriate.

However, once an organization has gone through the process of working with their legal teams and their consulting partners to determine their individual roadmap to GDPR readiness, AWS can help business leaders to tactically implement that strategy via instrumenting enterprise data and configuring the infrastructure to more easily locate and analyze enterprise data at scale. Large, complex organizations like those in financial services and healthcare are likely to benefit the most from the type of solution which can tie multiple systems together under one umbrella for greater visibility, manageability and security. Ultimately, I personally believe this is Amazon’s greater strength around GDPR the ability to provide costeffective data and analytics, telemetry, and also mapping tools native to its.

• Category: Uncategorized