Compliance tools that are available for cloud services
In this blog, we will look at how the compliance tools that are available for cloud services will link with the data protection regulations of the GDPR (General Data Protection Regulation).
It is safe to say that data protection regulations such as the GDPR have taken the world by storm.
Both the EU and UK GDPR have a comprehensive set of regulations that companies need to adhere to in order to protect the personal data of individuals. These regulations encompass aspects from classifying personal data to dealing with data subject requests and data breaches.
Simply put: In terms of the GDPR, companies are either acting as processors or controllers when it relates to the personal data of individuals. When a company is deciding on the purposes and by which means personal data will be processed, it is acting in the capacity of a controller. A processor on the other hand is a party that processes the personal data on behalf of the controller.
A company will be acting as both a processor and controller in the course of its business: It just depends on the context in which the personal data will be used. So therefore, companies need to be familiar with the duties and responsibilities of both parties.
Both parties have duties and responsibilities to adhere to in terms of the GDPR. By entering into a data transfer agreement with your cloud service provider, there is a clear delineation of the scope of these duties and responsibilities.
It is therefore essential that the tools inherent to cloud service offerings are effectively utilized by companies in order to reach their performance goals.
We will now look at the tools available in the Microsoft Cloud and how these tools will serve not only customers but also your chosen cloud service provider in your respective compliance requirements.
The Microsoft Cloud includes offerings such as Azure, Dynamics 365, and Windows. These offerings all have built in features designed to help you as the customer and your chosen cloud service provider remain compliant.
Managing requests by data subjects
It is well established that the GDPR now provides parties with the right to manage their personal data. This means that parties can request copies of their personal data, ask for corrections to their data or even request that it be restricted in terms of processing or deleted. It goes even further by specifying the format in which the data can be received.
Such a data subject request entails six activities. We will now take a closer look at how the Microsoft Cloud offerings will enable companies to comply with these activities.
Discovery
The offerings all have search and discovery tools that enable your provider to locate the requested customer data.
Access
After locating the personal data in question, your service provider will be enabled to provide you as the customer with either a copy of the document, a redacted version, or a screenshot of the appropriate portions. This is accomplished by the portal and in-product experiences inherent to the offerings.
Rectification
The portal in the Azure Active Directory enables your cloud service provider to make the requested changes to the personal data.
Restriction
Your cloud service provider, more specifically the chosen tenant administrator, has the capability to restrict access from the Microsoft cloud.
Export
Your cloud service provider can comply with the GDPR’s requirement of data portability by being able to export an electronic copy of the personal data of the user, including any accounts, system-generated logs, and associated logs.
Deletion
The removal of personal data from the Microsoft cloud can also be done by removing all personal data and system-generated logs, except audit log information. Take note that only a tenant administrator will be able to delete a user from the tenant.
It is therefore clear that the offerings are well-equipped to deal with the compliance requests from the GDPR and there is the comfort of knowing that these requests can only be dealt with by authorized parties that have restricted access.
Let us take a look at how the Microsoft Cloud offerings will assist parties when detecting and dealing with breaches.
Breach
The mere mention of the term alone is enough to send shivers down the spine of every compliance officer. There are hefty fines that penalize companies that do not comply with the data protection measures of the GDPR.
In terms of the GDPR, there is a 72-hour window within which notice of a breach needs to be given to the appropriate data protection authority. Additionally, the parties have to provide details on the breach itself. These details would include the number of data records affected or potentially affected, consequences of the breach and any mitigating measures that the companies took or intend to take.
So, the good news is that the various offerings all have inherent tools that will enable the cloud service provider to obtain the information to comply with the GDPR in the event of a breach.
But how will this be achieved?
Azure, Dynamics, and Windows
It is worth re-emphasizing that when it comes to the protection of data and implementing data protection measures, both the customer and the cloud service provider have a shared responsibility.
Avoid any ambiguity by having discussions with your chosen cloud service provider to obtain clarity on how this responsibility will be apportioned.
Due to the nature and privacy features of the cloud model, the incidents that occur within the customer’s own environment cannot be monitored by the cloud partner. It is therefore the responsibility of the customer to utilize the compliance features internally by taking measures such as restricting access to only a few authorized parties and having robust security measures in place. These measures can include multi-factor authentication and encryption measures.
Additionally, it is advisable and highly recommended that the customer adopts an emergency response plan that sets out how data breaches will be handled and designates key role players to laisse with the cloud partner.
Make sure that you and your chosen cloud service partner are clear as to the extent of their involvement in such an emergency response plan.
It is well worth speaking to your cloud partner about measures such as Microsoft Defender for cloud to help develop such an emergency response plan.
In compliance with the GDPR, these cloud offerings have detection and response processes in place that are used to discover potential risks for the parties. Several events can trigger an investigation.
Familiarize yourself with activities that can create so-called triggers for breaches and document how the parties intend to collaborate, investigate, and respond to any incidents that may occur.
Remember that prevention is better than cure: The overwhelming majority of data breaches occur as a result of human error. Educate your personnel on the importance of strong passwords, clear desks and avoiding the use of work computers and laptops for personal use.
Be open to advice from your cloud service provider on the security measures that are available for the various offerings. After all: They do this for a living!
Key takeaways
The GDPR is here for the foreseeable future. It is therefore important to re-consider and evaluate the security measures that your company is currently implementing.
By choosing the right service provider, your company will be able to optimize its efficiency and truly shoot for the stars!
