Insight: GDPR is just around the corner – will your cloud services be compliant?
Frank Krieger, VP, Governance, Risk & Compliance at iland, gives an overview of where businesses should be with the GDPR deadline looming.
There are fewer than 60 days before the GDPR compliance deadline.
By Friday 25 May 2018 organisations must be able to demonstrate that they are compliant or show evidence that they are working towards being able to satisfy the Articles that will govern data protection for the foreseeable future.
So, with the deadline in mind, where should businesses be right now in the process of ensuring cloud workloads will be compliant with GDPR?
Finalising Controller/Processor contracts
Organisations that originate the collection of personal data (data controllers) and operate in a cloud environment must be able to give evidence that the data they have gathered is protected as far as possible in all instances of transit, storage and processing. It’s commonplace for organisations to use a chain of third parties to host and process data – the cloud being an obvious example.
As a Data Controller you should now be at the final stages of formulating the contracts that will commit your Data Processors (such as your cloud hosting service) to handling your data to your defined standards of security, geographic location and access required by the GDPR. Part of this should include setting up a system of audit to actively monitor your Data Processors and ensure that they are continuously meeting your GDPR requirements.
- Profile: Accenture's new Netherlands Managing Director, Irine Gaasbeek
- Airbus' innovative data platform Skywise takes off, two major deals signed
- Business Chief, Europe edition - Read our March issue here
This oversight should include visibility into the activities of your Processor through review of policies and defined audits, insight into any sub-processed functions that the Processor may be performing and assurances that those sub-processed activities themselves are compliant to the Controller’s needs. It’s also important that the contract identifies the types of personal data that will be under scope, agreements of auditory bodies to be utilised as well as the procedure of informing the controller if the processor suffers a breach of the data or the terms under which it is being processed.
Your Data Processors should be fully engaged with you at this stage, demonstrating through their own compliance procedures how they align with what you need to ensure you meet your GDPR obligations.
Educating the organisation on its data protection responsibilities
The GDPR is much more than a tick box compliance exercise that can be contained within audits and contracts. It requires a full commitment by every organisation to build data protection into its culture and all aspects of its operations, from Support through Accounting to Product Development. The GDPR is not specific to just IT, it must permeate all aspects of the organisation to ensure a culture is built.
By now your employees should be aware of the impact of the regulation changes on their daily work processes and responsibilities. Departments will be affected in different ways and to different degrees: some will have been living and breathing the regulation for several years, for others it may be new. But being data protection-aware is no longer optional, it’s critical and regulated.
An ongoing continuous programme of education – from induction through regular refresher sessions – is essential. Part of this process should include furnishing employees with their own data privacy notice, informing them of the way in which their employer will manage and safeguard their personal information. This will help make data awareness relevant for everyone from the Chairman of the Board to the customer service team and beyond.
Wrapping up data mapping, risk and access reviews
By this stage, you should know what data you hold, why you hold it and where it’s located. You should have established the level of risk associated with that data and the levels of access permitted to the data in the course of operations and mechanism to measure and oversee the effectiveness of those activities.
The flow of data through your organisation should be clearly understood and systems in place to identify any changes in data flow that might cause elevated data risk. Modifications to applications, services or procedures should be evaluated through the PIA and DPIA processes noted within GDPR and overseen by your organizations Data Protection Officer (DPO). Linkage between your DPO and your Processor’s DPO should be in place at this stage with processes to ensure that Data Subject queries are handled in the correct manner and that program oversight is functioning correctly.
Data protection impact assessments (DPIAs) should have uncovered any high risk data and strategies be under development to mitigate that risk to an acceptable level. The level of access employees have to data should also have been reviewed, with the principle of limiting access to the minimum number that is required for operations.
Locking the doors on EU data stores
The separation and restriction of EU citizens’ data, plus confirmation of its secure geographic location, should be in its final stages. This ties in with the point above about data controllers and processors and is particularly relevant to the cloud. Controllers need to know that data pertaining to EU citizens is locked down to that geography and will not be inadvertently accessed by staff from other territories. Processors must commit contractually to meeting and sustaining that requirement. For entities that utilise cloud services, it is important that you verify that the proper legal data transfer mechanisms are in place as well.
If your Data Processors are not actively engaging with you on this and all other issues relating to data protection by this stage, you need to start asking questions.
Appointing and embedding the Data Protection Officer
If your organisation is a public body, systematically monitors data subjects on a large scale, or you handle special categories of protected data, you must employ a Data Protection Officer (DPO) who reports to the highest level of the organisation. By now your DPO should be in position, fully resourced and supported to lead your GDPR compliance programme.
Even if you do not officially need to appoint a DPO under the terms of the regulation, you will need to ensure that you have sufficient staff with designated responsibility for ensuring compliance. There appears to be a shortage of qualified data protection specialists in the UK at the present time, which is not surprising. One alternative is to consider appointing a third party specialist to assist in your GDPR compliance activities.
As we approach the run-in to zero day, these are the kinds of activities that should be well under way for businesses that are on track. Remember, 25th May is just the start of a continuous commitment to improving data privacy for everyone, the work will continue and we’re looking forward to being a key part of that for our customers and partners.
GfK and VMware: Innovating together on hybrid cloud
GfK has been the global leader in data and analytics for more than 85 years, supplying its clients with optimised decision inputs.
In its capacity as a strategic and technical partner, VMware has been walking GfK along its digital transformation path for over a decade.
“We are a demanding and singularly dynamic customer, which is why a close partnership with VMware is integral to the success of everyone involved,” said Joerg Hesselink, Global Head of Infrastructure, GfK IT Services.
Four years ago, the Nuremberg-based researcher expanded its on-premises infrastructure by introducing VMware vRealize Automation. In doing so, it laid a solid foundation, resulting in a self-service hybrid-cloud environment.
By expanding on the basis of VMware Cloud on AWS and VMware Cloud Foundation with vRealize Cloud Management, GfK has given itself a secure infrastructure and reliable operations by efficiently operating processes, policies, people and tools in both private and public cloud environments.
One important step for GfK involved migrating from multiple cloud providers to just a single one. The team chose VMware.
“VMware is the market leader for on-premises virtualisation and hybrid-cloud solutions, so it was only logical to tackle the next project for the future together,” says Hesselink.
Migration to the VMware-based environment was integrated into existing hardware simply and smoothly in April 2020. Going forward, GfK’s new hybrid cloud model will establish a harmonised core system complete with VMware Cloud on AWS, VMware Cloud Foundation with vRealize Cloud Management and a volume rising from an initial 500 VMs to a total of 4,000 VMs.
“We are modernising, protecting and scaling our applications with the world’s leading hybrid cloud solution: VMware Cloud on AWS, following VMware on Google Cloud Platform,” adds Hesselink.
The hybrid cloud-based infrastructure also empowers GfK to respond to new and future projects with astonishing agility: Resources can now be shifted quickly and easily from the private to the public cloud – without modifying the nature of interaction with the environment.
The gfknewron project is a good example – the company’s latest AI-powered product is based exclusively on public cloud technology. The consistency guaranteed by VMware Cloud on AWS eases the burden on both regular staff and the IT team. Better still, since the teams are already familiar with the VMware environment, the learning curve for upskilling is short.
One very important factor for the GfK was that VMware Cloud on AWS constituted an investment in future-proof technology that will stay relevant.
“The new cloud-based infrastructure comprising VMware Cloud on AWS and VMware Cloud Foundation forges a successful link between on-premises and cloud-based solutions,” says Hesselink. “That in turn enables GfK to efficiently develop its own modern applications and solutions.
“In market research, everything is data-driven. So, we need the best technological basis to efficiently process large volumes of data and consistently distill them into logical insights that genuinely benefit the client.
“We transform data and information into actionable knowledge that serves as a sustainable driver of business growth. VMware Cloud on AWS is an investment in a platform that helps us be well prepared for whatever the future may hold.”