There are many tempting reasons for companies to consider the future of their legacy IT estate in light of the increased functionality and lower operating costs of cloud services. However, with the increased data protection requirements arising from the EU General Data Protection Regulation (GDPR) which takes effect on 25th May 2018, it is recommended that a formal risk vs. reward analysis is taken, to ensure that legislative compliance can be fully met.

Legacy IT infrastructure is normally under the direct control of the organisation, perhaps hidden away in a basement or nearby data centre facility. Understandably this gives IT Managers a close relationship with their assets, and they will probably have sole responsibility for their physical and technical security. As an alternative, cloud services could be based in any country (although there may be some choice in this), and the customer’s IT Manager is very unlikely to ever see the assets from which the cloud service is delivered.

Providers of cloud services are almost certainly better placed than legacy system owners to invest in the physical security of the hosting premises, the scalability, resilience, and redundancy of the cloud-delivering assets, and the range of skills and competencies of their cloud analysts and engineers employed to keep the lights on. Cloud services allow their customers to stop buying expensive and fast-depreciating infrastructure, scale up and down their cloud services to meet ever-changing operational and capacity demands and reduce the direct personnel overheads associated with running a traditional legacy estate. 

However, potential cloud customers need to be fully aware that not all cloud services will be identical, and they will need to choose carefully to ensure that their business and security objectives can be met – including ensuring that full compliance with legislation such as GDPR can be achieved. This requires a robust approach to supplier due diligence, and the customer will need the ability to interpret the responses they receive from the potential cloud service supplier. The UK’s National Cyber Security Centre has published a set of “Cloud Security Principles” which are a useful point for evaluating a cloud supplier’s capabilities.

Responsible cloud service providers will be well advanced on their own GDPR compliance journey and will be willing to share details of their operational, technical and personnel controls with potential customers. One important matter for customers to address is gaining an understanding of the physical, geographic locations of the hosting location and any associated support facilities, which in turn will provide an understanding of whether the local data protection framework will be sufficient for the customer and more importantly the end-user citizens which may be consuming the cloud service.  

With the cloud service provider becoming a “data processor” for the customer, they should be able to commit to assisting their customers with delivering the various data subject rights which are available within GDPR. Citizens will become more aware of their rights to request details of data being held about them, to have incorrect data corrected, to have their personal data transferred to another data processor, and in some circumstances, have their personal data deleted when it is no longer required. All of these activities need to take place within specific time windows, and customers will need to ensure that their selected cloud service provider is willing and able to play their part in completing the requested actions. 

GDPR introduces a 72-hour window for the reporting of personal data breaches, and failing to do so may increase the penalties that later arise. With legacy, on-premise solutions, the challenge is to ensure that systems and personnel are able to work together to ensure that potential data breaches are identified, reported and investigated promptly, which could be a challenge with limited technical resources. Cloud service providers will be better placed to detect issues, with comprehensive monitoring solutions and dedicated, 24×7 analysts managing the cloud estate. However, customers should still satisfy themselves that the cloud service provider is fully prepared and equipped to detect and report personal data breaches, so that the customer’s legal obligations for prompt reporting can be met.

GDPR will affect all processors of personal data, whether in hard-copy paper form, within on-premise IT systems, or outsourced to specialist providers in the cloud. GDPR requires data controllers to demonstrate “privacy by design”, and a thoroughly completed Data Protection Impact Assessment will help to highlight any issues, as well as providing citizens with transparency of data processing activities.