Cloud in the EU – Regulations and Data Privacy Laws To Be Aware Of

When the General Data Protection Regulation takes effect, it will replace the Data Protection Directive and become the ruling law for data processing and collection in all EU member states, regardless of those states’ individual laws.

Currently, the EU Data Protection Directive — which applies to EU-based organizations and those whose data passes through the EU — isn’t legally binding for citizens of EU states and leaves it up to member states to translate the principles into their own laws. And several have, including the UK, the Netherlands, Germany, France, Denmark, and Italy.

In contrast, the General Data Protection Regulation can be more strictly enforced and will apply to all EU member states without each state needing to individually ratify the law. Penalties include up to 2 percent of gross revenue — a hefty sum indeed.

For companies working with a cloud storage provider, it is more essential than ever to make sure your data remains compliant. It’s not only your own organization’s data privacy policies that should be up-to-date and compliant with regulations, but also those of your cloud partner. According to a recent article in ComputerWeekly, only about one in 100 cloud storage providers are ready for the new regulations. Here, then, are eight ways to make sure your cloud storage is up to regulations:

1. Make sure any subjects whose personal data is stored with your cloud provider are aware of the collection, and understand when and why their data may be shared with third parties.
2. Ensure your and your cloud provider’s privacy policies and procedures are well documented and regularly reviewed.
3. Make sure you and your cloud provider have a written procedure for data breaches that outlines steps to be taken and authorities to notify in the event of an incident.
4. Make sure any subjects whose data you’re storing in the cloud have access to their own data in the event that they need to correct any inaccuracies.
5. Minimize the amount of data you’re processing and retaining, and make sure the data you are processing is protected in accordance with the law.
6. Take caution that data is not transmitted to or stored in non-EU countries without data privacy laws as strong as the General Data Protection Regulation.
7. Ensure that personal data can only be accessed on a strictly need-to-use basis in accordance with the conditions of such regulations as the UK Data Protection Act.
8. Ask your cloud provider for documentation on data encryption to ensure that data cannot be easily accessed or breached.

Outside of the EU, such regulations as Switzerland’s Federal Data Protection Act of 1992 and Norway’s Personal Data Act of 2000 set forth similar restrictions and guidelines. And until the General Data Protection Regulation takes effect, organizations in such EU member states as Italy and France are bound by the Personal Data Protection Code and the Data Protection Act, respectively, to notify specific authorities in those countries before personal data can be processed.

While the vast array of existing regulations and the changes coming down the pike may at first seem overwhelming to organizations using cloud storage, evolving regulations can instead be viewed as an opportunity to review your current approach, and to hold your cloud storage provider accountable for keeping your data safe and sound. With this checklist, you can rest assured that your data storage solution satisfies any regulation.

Image: Flikr/Graham Veal