Gartner Blog Network


Stop Agonizing Over GDPR Opt-In Emails and Start Thinking about How Your Use of Cloud Impacts GDPR Compliance

by Richard Watson  |  May 25, 2018  |  Comments Off on Stop Agonizing Over GDPR Opt-In Emails and Start Thinking about How Your Use of Cloud Impacts GDPR Compliance

Are you thinking About Your cloud providers and the GDPR? You should be. Using IaaS cloud service providers to process personal data introduces new risks. If you use Cloud providers, you need to evaluate and manage that risk against your GDPR compliance requirements.

I know you all want to know “What cloud service providers are GDPR-compliant?

Although I understand the desire for a score for each cloud provider, neither Gartner nor any external advisor can or should answer this question for you because of the way the GDPR approaches compliance. Your requirements for GDPR compliance will arise from a data protection impact assessment that must be performed by your business. Even if there were a certified GDPR compliance scheme (one is planned), your compliance must align with the sensitivity of the data you hold. For example, if you keep a list of 10,000 subscribers to your newsletter, the sensitivity is lower than holding one million medical records for people undergoing treatment for a life-changing disease. You need to use controls in proportion to the identified privacy risk, and that control requirement may be unique.

I’ve just published “Assessing Amazon Web Services, Google Cloud Platform and Microsoft Azure for Your GDPR Readiness” (subscription required) with my colleague Mike Wonham. Our paper addresses questions regarding the use of cloud provider services with data in scope for the GDPR. It begins by laying out the scope and required principles for evaluating the cloud service providers’ (CSPs’) role in your compliance process. Then, it answers the two separate and related questions, “How do I evaluate my cloud providers’ approach to the GDPR?” and “How are my cloud providers and their provided tools helping me be GDPR-compliant?” Having examined CSP behaviour and the tooling, this assessment then offers guidance about what you might need to bridge the gap to your compliance requirements.

gdpr-figure-1-roles

Here are the basics: When you are using a cloud provider, the GDPR identifies two roles that must be clarified and understood to ensure correct processing of the data: the data controller and data processor roles, and the GDPR applies to both. The data controller determines the purposes (the “legal basis for processing”) and means of processing personal data, and the data processor is responsible for processing personal data for the controller. Article 28 of the GDPR brings new obligations for both you, if you are the data controller, and CSPs, as your data processor, which you will need to demonstrate for compliance. Though it might seem obvious that the service-consuming organization is the data controller and the service-providing organization (the CSP, in this case) is the data processor, this may not always be the case. You should obtain legal advice to clarify.

Note: This published assessment is intended to inform our clients about the current data privacy and security challenges experienced by IT companies in the global marketplace. It is in no way intended to provide legal advice or to endorse a specific course of action. Gartner does not provide legal advice or services, and its research, including this blog post should not be construed or used as such.

Category: cloud  

Tags: cloud  data-privacy  data-protection  gdpr  iaas  

Richard Watson
Research VP
5 years at Gartner
21 years IT industry

Richard Watson is an analyst in Gartner's Technical Professionals Research Service. He advises clients on cloud computing, application architecture, and application platforms. ...Read Full Bio




Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.