When the GDPR came into force in May 2018, a number of businesses were still in the process of updating their IT systems to be in compliance with it. This meant, however, that many of them overlooked their outsourced services such as cloud storage.
Of course, in some ways cloud storage services can be extremely beneficial when preparing yourself for GDPR compliance. For example, it is highly secure and offers protection against cyberattacks. However, there are still steps you need to take to make sure you are compliant. Here, with the help of online storage experts Images Online, we look at the essentials of ensuring your services remain compliant with the GDPR.
Is your data storage affected by the GDPR?
If your business is based in the EU or you collect the personal data of customers or individuals from the EU, then you will need to be compliant with the rules of the GDPR. Remember personal data in this context refers to any kind of data that could be used to identify an individual, including their IP address. So even if there’s only a chance that individuals from the EU will visit your site then you will need to be compliant.
So if you do need to comply with the GDPR and you use any kind of cloud technology to store data, you will need to take a look at a number of factors to ensure that your services are appropriate.
The location makes a difference
You might never have given a second thought to the actual physical location of your cloud storage, as it is not really relevant on a day-to-day basis. However, with the GPDR in force it is important that you should know the location for any kind of storage that is used for the collection or analysis of personal data.
If your cloud storage is hosted in an EU country then you will already be fully in compliance with the GDPR rules due to the fact that the company will have to confirm to the regulations themselves.
Ensure you have a compliant agreement with your cloud provider
You made need to ensure that there is a new agreement in place with your cloud storage provider. Remember that this is a legal necessity and if you provider will not agree to changing its agreement with you so that it brings you in line with the GDPR then you will need to look for a new supplier. This is not a case of you asking for something unreasonable – every business is bound by the same regulations and failing to comply can see you hit with heavy fines.
The expense of having to find a new supplier and the hassle of changing your system will be nothing compared to the trouble that you will face if you keep the same supplier and are then found to be in breach of the GDPR.
Only collect data that is necessary
With all forms of cloud data storage you need to ensure that you are only collecting data that is ‘necessary’. Clearly what is necessary for you to collect can vary enormously, but the important thing is that you should have a reason you can justify for gathering and holding the data. Once again, if you are found to be storing data that you do not need then you will be in breach of the regulations.
Use data for a specific purpose
Additionally, when you collect data you need to be able to justify that it is being collected for a specific purpose. And when you have this data, you should only use it for that specific purpose, unless you have gained permission to use it for a different purpose. This is related to the problem of companies collecting a potential customer’s email address because they signed up to a newsletter, but then bombarding them with spam messages promoting products they have no interested in.
Ensure that data can be erased
Another key aspect of data storage is that you must be able to delete data as soon as you do not need it anymore. You are not allowed to store data just for the sake of it, so ensure that your cloud storage puts you in a position where files can be easily located and deleted once they have served their purpose.