Oliver Price’s Weekly GDPR Blog #9 – Don’t Leave your Head in the Clouds

I am often asked about cloud computing arrangements. The new EU General Data Protection Regulations (GDPR) will require adequate security measures to be taken so that personal data about individuals is protected from loss, alteration or unauthorised access by third parties.
Therefore a data protection audit now requires you to consider cloud computer arrangements. A sensible first step is to establish where a cloud supplier is processing and storing your data and in particular whether it is travelling outside the UK. You need to know to which country, or countries, data is going. As you might expect certain countries pose much higher risks than others and the EU keeps a list of those it is satisfied are safe when data is transferred. There are different types of cloud computing and sometimes it is clear where in the world data is stored, but that is not always the case.
You should ask your cloud supplier to confirm that they will comply with the GDPR requirements and enter into an agreement to confirm that they will do so. Your cloud supplier also needs to inform you very quickly if any data has been subject to unauthorised access or even worse, has been passed to a third party. You should also ask your data supplier to confirm that they will be able to erase data when you have finished using it and it needs to be destroyed.
Given the challenges of deleting data it may not be as easy as simply pressing a button. However, speaking to your cloud supplier now could save you a lot of bother after 25th May 2018 (when we will have the GDPR in force).
30 November 2017 

Last updated 30/11/2017