Irish Data Protection Commission’s new guidelines encourage organizations to choose the most secure cloud provider

While moving to the cloud can have a lot of benefits, it may also raise some privacy concerns. Cutting administrative costs, the ease of remote collaboration and flexible mobile working are definitely on the pros side. On the other hand, privacy professionals usually worry about confidentiality and fear losing control over data. With the General Data Protection Regulation of the EU (GDPR) in effect, legal departments’ top focus is now compliance with data protection regulations.

The GDPR requires organizations to consider data protection issues as part of the design and implementation of systems, services, products and business practices, without diminishing functionality, i.e. data protection by design and default. Specifically, this means that appropriate technical and organisational measures need to be implemented to protect the personal data that is processed. Since the GDPR itself does not provide practical explanation as to what is deemed to be “appropriate”, a bigger emphasis lies on the interpretation of the regulation by data protection authorities.

Considering the advantages and the risks of using cloud-based environments, the Irish Data Protection Commission (DPC) has issued a new guideline, suggesting that “organisations should carefully evaluate cloud-based vendors based on the security features they offer”. They summarized the most important aspects for the assessment of cloud providers and the features needed for a safe cloud environment.

What should you look for when you are planning to engage with a cloud service and how can you convince your privacy department to get on board?

1. Access control: Always look for service providers which enable multiple access control settings. Logging who accesses relevant data and when, can help when backtracking unusual activities within your company account, while login alerts can make sure that you become aware of any unauthorized access promptly. When organisations are working with shared folders, user access privileges should be set in order to avoid unauthorized alteration or deletion of confidential documents.

2. Strong Passwords: A chain is only as strong as its weakest link. No matter how securely a system is built, everything depends on a well-chosen password. This is why the guideline recommends organisations implementing strong password policies in order to avoid unauthorized access to personal data.

3. Two-factor authentication (2FA): As a second tier for ensuring authorized access only, it is a wise step to turn on 2FA. After entering the right password, access is granted only after successfully presenting two or more pieces of evidence (or ‘factors’) such as an authentication code received on a different channel, e.g. via email or SMS. Choose cloud providers where you can enable 2FA.

4. Never settle for default settings: The guideline emphasizes the importance of utilizing additional security features facilitated by the cloud provider. It is even better to choose a cloud provider where the default settings already protect personal data at a high level. In certain guidelines on the GDPR, encryption – particularly the end-to-end version – is highlighted as an appropriate safeguard to protect data. End-to-end encryption ensures that even if any data is leaked from the cloud due to a malicious hacker attack or human error, it will not be considered a notifiable data breach. To illustrate this further, we gathered some scenarios that demonstrate how encryption can save you from serious consequences when an unfortunate event occurs which might be beyond your control.

5. Clear policies: For the sake of security, the guideline recommends that organisations define clear policies in connection with the use of the cloud service, such as data retention, maintaining network access, and sharing control. Staff trainings, handbooks, and awareness programs are definitely effective ways to raise data-consciousness, yet the second most common cause of data breaches is human error. Implementing a technical framework to support organisational principles can minimize the risk of accidental data leaks. For example, HR and legal teams probably share contracts externally, but your graphic designers or developers may not use this function at all. In their case, external sharing may be disabled, and they can proceed with their job with confidence, free from worries about copying the wrong person to an email. If you want to learn more about data security policies, you might find this article useful.

5. Seek assurances: When your organization engages a cloud provider, the organization is usually considered a data controller when regarding the data you upload to the cloud. This means that GDPR compliance is still your organization’s responsibility, and you shall seek guarantees to ensure that the service provider undertakes the appropriate protection and secure processing of your personal data, in accordance with your instructions. For lack of compliance, controllers could be held accountable.

In practice, this means that after you successfully assess the security features cloud providers offer and choose the best option, as a next step you should conclude a data processing agreement (DPA) with them. The DPA is a legally binding document in which the data processor guarantees compliance with the requirements of data protection by design, and assists you in demonstrating your compliance with the GDPR. For a broader summary and useful tips and tricks to having a GDPR-proof DPA in place, check out our blog post and whitepaper here.

Until now, the UK Information Commissioner’s Office has had a leading role in the interpretation of the GDPR, but after Brexit, their guidelines are no longer exemplary. Some predict that the DPC will become the next dominant supervisory authority in GDPR matters, so it is probably worth taking its guidelines into consideration from now on.