For those of you who are not familiar yet, GDPR (General Data Protection Regulation) is the new European directive superseding national laws such as the UK Data Protection Act and coming into force on the 25th May 2018. The regulation sets out a number of provisions for all organisations who handle personal data of EU residents and imposes tough penalties to for non-compliance.
There is so much material about GDPR now that there’s no point rewriting it all. Moreover, the interpretations seem to change depending on who you ask and we are not positioned to provide legal advice.
I would like to focus on one aspect though. It is rightly considered that a data controller has more stringent restrictions than a data processor. This is largely correct, however the responsibilities of a data processor are different that those of a data controller and therefore even if a company remains a data controller, there are benefits to relinquishing some of the processing responsibilities.
Let me explain this point. If a charity has a list of donors which it maintains, the charity is the controller of this data and has stringent responsibilities under the GDPR. However, if this list is kept on local computers and local servers, the charity has stringent requirements on the storage of the data as well.
Should the company move to a Hosted Desktop provider, part of the requirements on safeguarding the data move to the hosted provider or disappear altogether. Using that same charity example, if the charity stored the data locally, it is more likely that some database info is kept on PCs and a loss of the PC would require a breach notification. If that charity did have a cloud provider, the lost laptop would have no info on it and therefore no breach to report.
Hosted Desktops offer a level of enhanced security often impossible to replicate cost effectively for small to middle-sized organisations. All data and information processing is carried out in a secure data centre and if the provider is ISO 27001 certified, organisations can be sure that every action is taken to ensure security is not compromised. In an increasingly mobile culture where staff work from their own devices, security policies cannot be put at risk because they are only using those devices to access their work rather than to store it.
Organisations in breach of the regulations can expect fines of as much as to 4% of annual global turnover or 20 million Euros, whichever is greater; moving to the cloud has many good justifications. GDPR compliance just made the cloud even more compelling.