In May 2018, the UK government will introduce the new General Data Protection Regulation (GDPR). This replaced the old data protection act and has been structured to reflect the way in which data is now handled. The old Data Protection Act has been in place for several years, and over that time, the way that companies manage personal data has changed considerably – both in terms of the type and volume of data that is stored, and the uses of that data.
Although the GDPR is a piece of European legislation, it will still be observed in the UK following Brexit, and as such, it is essential for businesses to both familiarise themselves with the requirements of the legislation, and to ensure that the way they manage data is in line with the regulation.
Who the GDPR Applies to
The way the GDPR Is written covers two specific roles:
- Data Controllers
- Data Processors
A data controller sets policies with an organisation about how and why personal data will be processed, whereas a processor acts on their behalf to process the data.
Controllers and Processors are defined roles, but they are applicable in all organisations who store data – whether this is data about staff or customers.
In terms of these two roles, the responsibilities under the new GDPR legislation have changed considerably, particularly for Processors. Data processors are now required to maintain records of activity related to personal data. In practice, this becomes a responsibility at a policy level to provide tracking of usage within the organisation.
In short, if you are an organisation of any size that holds any personal information, then you need to ensure that your policies for controlling the way that data is used are compliant with GDPR guidelines.
The GDPR brings in several rights for individuals about whom data is stored. They now have explicit rights to be informed about what data about them is held, along with a right to accessing that information. An individual now has a right for data about them to be deleted, or rectified and to restrict how that information is used.
One of the requirements of the GDPR is that consent is obtained if data about an individual is going to be stored outside the European Union.
There have been historic requirements in the UK for some personally identifiable information to be hosted within a UK data centre, which has limited the ability of businesses and local government to take full advantage of the cloud. The GDPR doesn’t change this much at an EU level, although for the UK, it does mean that data can now be warehoused in the EU rather than just physically in Britain.
Consent is still required if you want to store personal data outside the EU.
This change reflects the way that data is managed by many businesses already, but has benefits where a company wants to host their database in the cloud. If the public cloud provider that you use spreads load across multiple regions, then it may be possible to breach the GDPR.
The new legislation better recognises cloud services and offers more flexibility to businesses – provided that their systems are compliant.
Azure and the GDPR
Over the past year, there have been many developments within the Microsoft Cloud portfolio that are relevant to the GDPR. Microsoft have major European data centres already in the Netherlands and in Ireland which are both EU, and as such are under the legislation. The company has also opened large UK datacentres to meet demand in this country. This provides additional flexibility for data owners to choose where their information is hosted.
In parallel with the Microsoft Owned data centres, the rise of Azure Stack implementations in 3rd party data centres provide additional flexibility about where data is warehoused.
What do I need to Do?
As a business, it’s essential that you ensure that your IT Strategy and data policies are compliant with GDPR before the law comes into effect in May 2018. For businesses using cloud services such as Azure, it is particularly pertinent, and important to perform a comprehensive audit of where and how data is stored to ensure that responsibilities are being met.
Valto are experienced cloud specialists with a team that are fully briefed on the requirements for businesses and other organisations under the GDPR. For more information or to book a compliance audit, please contact a member of our team on 03335 779 009 and we will be happy to help.