General Regulation of Data Protection (GDPR) comes into force soon. As of May 25 it will be the mandatory data protection regulation that will replace the LOPD.
The adaptation in Spain seems to be very slow. According to an IDC study, only 10% of Spanish companies are ready, a figure that is far from the degree of adoption in other European countries such as Germany (26%), the United Kingdom (24%) and Italy (20%).
The main obstacles that have been found for its adoption in Spanish companies are: conflicts of priorities, lack of budget, limitations of resources and ignorance of the regulations.
The study shows that one of the main doubts that companies have is how GDPR will affect the cloud. So let’s see how the main cloud providers are in regards with GDPR compliance.
SPOILER for the impatient ones: they are better prepared than in previous regulations.
Amazon Web Services will comply with GDPR when it enters into force on May 25, 2018. AWS continuously maintains high levels of security and compliance throughout all of its regions around the world.
The architecture of its cloud infrastructure has been designed to offer a powerful, flexible and totally secure environment.
Your Data Processing Agreement (DPA) was updated in April 2017 to include GDPR. They have deployed teams of compliance experts, data protection specialists and security experts to work with clients in Europe, answer their questions and help them setup their environments.
They also signed the CISPE Code of Conduct to guarantee their cloud customers that they are using the appropriate data protection standards to protect their data in a manner consistent with GDPR.
AWS has a large number of internationally recognized certifications and accreditations: ISO 27017 for cloud security, ISO 27018 for cloud privacy, PCI DSS Level 1, and SOC 1, SOC 2, and SOC 3.
In addition to its own compliance, AWS makes available to its clients services and resources to help them meet the requirements of GDPR that may apply to their activities. You can find more information here.
Google Cloud Platform
At Google they know that preparing for this regulatory change is a priority for millions of organizations that rely on their cloud services. Therefore, they were adjusted months in advance and, in October of last year, they deployed the updated security and data processing terms for Google Cloud Platform to reflect GDPR.
Data is key for companies and, therefore, in GCP they committed themselves so that their clients can control them at all times and decide what information is shared and what is not.
Google has some of the world’s leading experts in information security, applications and networks. Google Cloud Platform data treatment contracts clearly state their commitment to customer privacy.
Google’s global infrastructure is designed to offer total security of services throughout the information processing cycle.
The standards and certifications that GCP holds are: ISO 27001 (information security management), ISO 27017 (security in the cloud), ISO 27018 (privacy in the cloud), SSAE16 / ISAE 3402 (SOC 2/3),
Google complies with GDPR and is helping its customers on their way to compliance. All the information in relation to Google Cloud and GDPR is available on its website.
Red Hat made a collaborative approach and involved key stakeholders in their organization to prepare for GDPR. They took steps to carry out detailed data inventories, implemented processes and made improvements designed to meet the different GDPR requirements.
For example, taking measures in the processes related to data rights, including how individuals can obtain their personal data, make corrections and request their deletion.
Red Hat has also carried out multiple improvements in its product portfolio to include the necessary functionalities to properly manage personal data.
They are also fully aware that this adaptation is not a day’s work and they work continuously to support the privacy and security of the personal data entrusted to them and help their clients to comply with the new regulations. You will find much more information about it here.
In the study that we talked about at the beginning, despite the doubts about how GDPR would affect the cloud, 53% of the organizations bet on cloud without caring about the impact of the new regulation.
For most companies, their cloud strategy does not depend on the fact that they have to collect, store or process personal data according to GDPR. They are clear that it does not entail a greater extra effort.
But in addition, as we have seen, the use of the cloud is not only an obstacle, but it can be an important help for adapting to GDPR.
The main cloud providers demonstrate that they are fully prepared and even facilitate a multitude of resources so that their clients are up to date in complying with the regulations.