Since the Covid-19 pandemic crisis, compliance with data protection laws has probably not been a priority for many companies. As companies have to rush to set up remote operations and move to telecommuting, the intense reliance on the cloud has helped them to some extent shift their regulatory obligations to online service providers.
However, the rationale of claiming that the service provider is responsible for all responsibilities is not valid with the authorities. Regarding regulations applied to data processing, corporate customers are responsible for verifying that their cloud service providers meet national obligations. And beware: this also applies to cloud hosts located in the UK who, even after Brexit, are still expected to comply with European regulations.
In addition, companies must also comply with new regulations as well as updates to previous ones, including the new PCI-DSS 4.0 standard released in 2022. That is, it is necessary to verify that the cloud service provider is up to date. .
As the move to the cloud is set to grow – IDC Group estimates IT spending is projected at $ 1.35 trillion by 2025 – businesses need to make sure they have safeguards in place that ensure security and privacy.
Therefore, it is advisable for CIOs to take advantage of the coming months to review their cloud compliance models. Here are some important points to consider.
GDPR and the Data Protection Act
European regulations have become, if not a de facto standard, a model for other countries ’data protection laws. For example, even though the UK is not in the European Union, the EU’s General Data Protection Regulation (GDPR) has been incorporated into UK law under the Data Protection Act 2018. data).
The GDPR lays out the rules to be followed regarding data processing, including when this operation is performed by third parties. As Mathieu Gorge, CEO of Vigitrust, a company specializing in confidentiality, points out, using the cloud automatically indicates that the data has been entrusted to a third party.
“Under the GDPR, the cloud provider becomes the data processor and you act as the data controller,” he explains. “You have to make sure that the data processor guarantees a level of security that is at least right for you. You should also take an inventory of your data flows to ensure adequacy, and conduct a privacy impact analysis. »
And cloud providers located in the United Kingdom, a region widely used to host applications from the rest of Europe, have no interest in deviating from the rule. Remember that before Brexit, it was in the United Kingdom that some of the heaviest data protection fines were imposed. Since then, they have been more hit by sanctions from Irish and Belgian regulators. According to Mathieu Gorge of Vigitrust, the Information Commissioner’s Office wants to show that it still has the power to impose heavy fines, even after Brexit.
PCI-DSS and PCI-DSS 4.0
The Payment Card Industry Data Security Standard (PCI DSS) is not a legal requirement in itself, although data protection experts strongly recommend that it be considered as such. The PCI Security Standards Council released the final version of PCI DSS v4.0 in March 2022.
However, under the transitional arrangement, the current version of PCI DSS (v3.2.1) will remain valid for 18 months from the release of all documentation for version 4.0. And, according to the PCI Security Standards Council, new requirements may emerge in the future.
The transition period for these obligations in the future is not yet known, but could be two and a half to three years, after the release of v4.0, pushing back to the era of PCI DSS implementation. certainly until 2025. However, due to the potential impact of the standard on organizations, IT managers, information systems security officers and data controllers must ensure compliance with existing standards.
“A payment card, in addition to its number, is often accompanied by personal data, such as the home address and the full name of the owner. In other words, a breach of this data constitutes no compliance with the PCI DSS, but also with the GDPR; two violations that result in heavy financial penalties, ”warned Craig Tunstall, cloud specialist at HeleCloud
NIS guidelines (Network and Information System Security)
Like the GDPR, the NIS (Network and Information System Security) directive is a European regulation also enshrined in British law. Although the directive is less well known than the GDPR, it provides stringent requirements. Digital service providers, including cloud service providers, must implement security measures to prevent compromise and data breach. If they are attacked, they must notify the ICO (Information Commissioner’s Office) within 72 hours.
However, the NIS Directive has changed since the UK left the European Union. The law covers two groups of organizations: essential service operators (OSEs) and digital service providers (DSPs), which are said to be competent because of the critical nature of their service vis-à-vis the national infrastructure.
Phil Robinson, founder and chief consultant of cybersecurity consultancy Prism Infosec, explained that when data is processed in the cloud, registered companies such as OSE and FSN must report any security incidents to the ICO.
Businesses using the cloud need to understand that they are responsible for data protection, privacy, and security to their vendors. These obligations do not come from a single piece of legislation, but instead reflect the basic principles of the GDPR, the NIS directive and all other data protection rules.
In general, this means that companies always remain responsible for their data, even if it is stored or processed by a third party. These could be cloud services like AWS, productivity suites like Office365, or even basic file sharing services like Dropbox.
Given the variety of cloud services in use today, companies need to ensure that the infrastructure in place meets the sensitivity and regulatory obligations associated with their workload or business processes.
As Craig Tunstall of HeleCloud points out, CISOs, for example, cannot guarantee PCI DSS compliance for a workflow simply because it runs on the AWS (PCI DSS Compliant) cloud infrastructure.
“If you want to ensure regulatory compliance when storing data in the cloud, you need to understand your cloud service provider’s shared responsibility model and the specific service you’re using,” he said.
Data residency, Brexit and adequacy
Organizations need to know where their data is at all times. When the storage hardware is in place, everything is simple: the data is in the computer room, in the data center, or in a colocation facility. Their migration is very rare (in the event of recovery after a major incident, for example).
In the nature of the cloud, everyone knows that data can stay anywhere in the world, and technologies like object storage even allow a single file to be spread across multiple locations. Hyperscalers (AWS, Azure, GCP …) all offer region-specific storage and the ability to lock data to one geographic area.
That said, there is no guarantee for smaller cloud services or third-party services running on other public cloud infrastructure. After Brexit, the UK benefited from an adequacy decision on its own willingness to data to be stored in the EU, knowing that the GDPR restrictions apply to data coming from the European Economic Area to the UK -United.
Companies transferring data outside the European Economic Area, the United States and Australia must demonstrate that data protection laws are sufficient to comply with the DPA, that they have the consent of the data subject and that they comply with applicable local regulations. law (such as China. Personal Information Protection Law).
The location of the data remains a difficult issue. Companies have every interest in approaching a professional before launching a cloud project.