How Cloud/Hosting can help with GDPR Compliance
L3C were recently invited to showcase our services at a GDPR IT Leaders Forum in Manchester, sponsored by IBM and Techdata. The guest speakers imparted a great deal of knowledge and advice on the subject but the most interesting insights into challenges being faced came from the audience questions.
What soon became clear, as well as analysing personal data held in modern cloud based systems such as Salesforce, many of the IT leaders in the audience were concerned about legacy applications and CRM systems that may have been earmarked for sunsetting sometime in the future, but are still prevalent in many organisations as they still hold data that is required from time to time. These systems have quite naturally received less investment on their upkeep but will need attention under GDPR if they hold personal data.
We had several discussions during the breaks with IT leaders interested in how, L3C as a UK cloud/managed service provider could help in such scenarios.
Using an example of a recent ‘legacy’ AIX migration with Oracle and Progress DBs into L3C cloud environment we could explain how a local cloud/managed service provider could assist with GDPR compliance (notwithstanding that the local CSP needs to be GDPR compliant themselves!).
With a UK service provider you know your data is in the UK and also that it is being replicated in the UK to a secondary data centre. A requirement of GDPR is that data transfer is transparent (i.e. you know where your replication site is and that data can be recovered in a timely manner). Explaining how we recently implemented a solution that allows file level recovery allayed many of these concerns
Clarity around access rights is also essential, particularly with respect to DB Administrators. A UK service provider as opposed to one of the major public cloud providers will work with you to define who and under what conditions do DBA’s have access to data. Additionally, a local service provider should also provide you with a record of any processing of your data (again a requirement of GDPR)
Particularly pertinent to legacy systems is the need to maintain current patch management; it is likely many such systems have not received the full attention for operating system and also database patch management in the past.
Perhaps the biggest relief during our discussions came when we explained that risk would be shared. Irrespective of how aggressive contracts are written (or how badly) GDPR imparts responsibility on the processor of data (i.e. the cloud service provider) to implement appropriate technology and processes to prevent a breach. Therefore, it is equally in the CSP/MSP interest to work with you to ensure compliance of the environment.
We’ve identified 8 areas where a local service provider such as L3C can assist with GDPR compliance, and this is excluding ancillary services such as Enterprise Mobility Management to address the concerns in effectively managing mobile access to applications, patching and the separation of corporate and personal data on the devices.