Cloud security checklist for GDPR compliance

5 things to consider when choosing a file sync & sharing service with GDPR in mind

The GDPR requires companies to protect the personal data of their customers and employees at all stages of the data processing lifecycle. With more businesses adopting and using cloud-based tools for communication and collaboration, complying with this requirement is a challenge.

According to a recent survey, 60% of enterprises plan to abandon their on-premises systems completely to switch to cloud-based, Software-as-a-Service tools in the next two years. Smaller companies are also migrating to the cloud: in 2017, the average number of cloud apps used by an SMB was estimated to be as many as seven.

Choosing cloud-based services that help companies ensure and maintain GDPR compliance is not an easy task. Businesses need to take different technology and legal aspects into consideration when looking for a service provider. Our guide helps you with summarizing the 5 most important things to keep in mind.

GDPR Compliance free eBook

Free eBook "GDPR Cloud Security Guide: 5 Key Things to Consider when Choosing Cloud Storage for your Business"

In this free GDPR Compliance Guide, you'll learn:

  • What is the GDPR (General Data Protection Regulation) and what are its requirements for managing personal data in the cloud?
  • What are the main challenges of using cloud-based services?
  • What are the 5 key technology and legal requirements cloud storage services should meet to help you ensure GPDR compliance?
  • How do major cloud storage services Box, Dropbox, OneDrive, and Tresorit compare in terms of GDPR compliance?
Get the free eBook

1. Technology measures: What are the encryption technologies used by the provider?

The GDPR recommends businesses to use technical safeguards like pseudonymization or encryption to protect personal data. Encryption is a strong security measure because it minimizes the risks of data exposure in the eventuality that personal data is leaked. Strongly encrypted personal data is only white noise for unauthorized parties.

The GDPR refers to encryption in several provisions. However, it does not specifically indicate which algorithm (e.g., AES-256) and architecture or application (e.g., at-rest, in-transit, or end-to-end) it recommends.

While the GDPR does not explicitly talk about encryption methods, the way encryption keys are stored is important to decide whether the re-identification of persons from the leaked encrypted dataset is possible with reasonable efforts. With in-transit & at-rest encryption, the cloud provider has access to the encryption keys, while with end-to-end encryption, the keys are stored at the user only (the provider never has access to plaintext encryption keys). Because of this, in case of a data breach, re-identification of persons from the end-to-end encrypted data is infeasible. This way, end-to-end encryption with client-side key management represents stronger protection for personal data.

It is also important that the provider uses industry standard algorithms like AES-256 that are thoroughly checked by cryptography researchers.

1. Technology measures: encryption

  • For the strongest protection, make sure that the encryption keys are managed by the end-user, on the client-side
  • Look for end-to-end encrypted services
  • Check if the provider uses industry-standard algorithms like AES-256

2. Technology measures: What further security and control features does the provider offer?

Beyond strong encryption, the provider needs to take further steps to secure the data of their users.

First and foremost, account security should be taken seriously. This includes managing user authentication securely, preferably with zero-knowledge methods. There are different levels of how securely a service provider treats your password. The highest level of password protection is the “zero-knowledge” method: your provider has zero-knowledge about your password. In this case, your password won’t be compromised if the service provider is hacked nor in the case of an employee leak.

Screenshot

Beyond password protection, make sure that the provider offers multi-factor authentication. This adds extra layers of protection to the simple password-method by asking for the verification of your identity with an additional, trusted device (for example with a text message sent to your phone).

Based on the “Privacy by Design” principle, the GDPR requires all organizations to implement comprehensive data protection policies. Businesses have to protect the confidentiality and integrity of personal data: it should be processed in a manner that ensures appropriate security with technical and organizational measures.

This means having security practices and policies in place and enforcing them on a daily basis. When it comes to collaboration within teams and keeping in touch with clients or partners, these policies are essential to keep data secure. According to surveys, a large part of data breaches is caused by employee errors or malicious employees. These incidents can include cases when work devices are lost or stolen, or when employees leak data on purpose.

Make sure that your provider offers extensive data control and governance features to minimize the risks of these events. There are several useful features you should look for: permission management to set up granular access levels to personal and other sensitive data, the option to monitor staff’s activities related to files management such as who opened or deleted the files (audit trail), the possibility to create and monitor internal security policies related to data security, backup options like deleted file recovery, and device control tools. (access revoke, remote wipe, etc.).

2. Further security and control features

  • Check how the provider manages user authentication and passwords - look for zero-knowledge services
  • Make sure that the provider offers multi-factor authentication
  • Make sure that the service provides your business with extensive data control features like permission management, security policies, or access revoke

3. Transparency: Is the provider transparent about data residency and data protection?

Cloud security for businesses
Webinar

5 key steps for SMBs to GDPR compliance

Learn how to locate, identify, and protect personal data in your company before the GDPR deadline. Watch now

The GDPR states that personal data should be processed lawfully, fairly, and in a transparent manner. This applies both to businesses managing personal data (data controllers) and cloud-based services they use (data processors). The data controller though has to make sure that the third-party services they use to meet these requirements, as according to the principle of accountability, the final responsibility and liability of protecting the data lies on them. The controller should be able to demonstrate compliance with all the principles relating to the processing of personal data.

It is crucial to choose cloud services that are transparent about how they manage data and provide clear and easy-to-understand documents about this, including how they further process data and what sub-processors and third-party services they use for that.

Data residency is an essential aspect, too. Although the GDPR doesn’t specify whether the data should be stored in the EU, ensuring GDPR compliance is more straightforward if your provider stores your data in EU datacenters. When the provider uses third-country data-centers or sub-processors, additional guarantees are needed to ensure that your data is protected according to the same high standards as the EU prescribes with the GDPR.

3. Transparency on data protection

  • Look for clear Privacy Policy and Terms of Use
  • Search for information on data center locations and the third-party services the provider uses
  • Check server location: choose EU-based data centers if possible
  • Ask for a Transparency Report on user data requests

4. Legal guarantees for data protection: Does the company provide binding documents on data protection?

Securing the cloud
Webinar

Securing the cloud

Learn the main data protection principles and impacts of the GDPR from legal and technology experts. Register now

To provide EU residents with stronger control over the privacy of their data, the GDPR unifies data protection regulations across all member states. This means that all companies who manage the personal data of EU residents have to adhere to its strict requirements.

In case you’re looking at an EU-based cloud solution provider, always look for proof that the company has already started to prepare their data management processes for the GDPR. This includes, among many other things, providing the required documents on data protection such as a clear and easy-to-understand Privacy Policy and Terms of Use, and beyond that, a Data Processing Agreement that they can sign with their business customers.

If the cloud company is not located in the EU, you have to look for other proof beyond that. Make sure that the company:

  • is established in a third country that received a data protection adequacy decision from the European Commission (for example, Tresorit is located in Switzerland, a country with adequacy status from the European Commission). or
  • is certified under the EU-US Privacy Shield, or
  • provides other adequate contractual guarantees that prove they have the same high level of protection as EU companies (for example, Standard Contractual Clauses adopted by the European Commission, or Binding Corporate Rules (BCRs) approved by the procedure detailed in GDPR Article 47

4. Legal data protection guarantees

  • See if Privacy Policy and Terms of Use include GDPR related requirements
  • Check how the provider manages consent for data usage
  • Ask for Data Processing Agreement in line with GDPR Article 28
  • If dealing with a provider that is not based in the EU, look for the country’s adequacy status decision, company’s Privacy Shield certification or other contractual guarantees accepted by the European Commission (Binding Corporate Rules, Standard Contractual Clauses)

5. Overall guarantees: How does the company prove that the above practices are enforced?

The GDPR is revolutionary because it applies a risk-based and by-design approach to data protection. Companies have to assess risks related to the management of personal data and implement appropriate technical and organizational measures to minimize them. Beyond this, they have to able to prove that they took the necessary steps that are appropriate to the risks.

This applies to any cloud provider that you consider using, too. Although the GDPR is a new regulation, there are further data protection guarantees you can look for. Look for other information security certifications or compliance standards like ISO, HIPAA. Check if third-party information security audits were performed.

5. More information on security and compliance

  • Ask about existing data protection practices at the company
  • Look for other information security certifications or compliance standards like ISO, HIPAA
  • Check if third-party information security audits were performed
Dropbox
Box
OneDrive
Technology measures: encryption
Encryption at-rest
On request for businesses
Encryption in transit
End-to-end encryption for storage
End-to-end encryption for file sharing
Encryption keys controlled by the user
Only if using external encryption module
Partly / on request for enterprises
Partly / on request for enterprises
Provider never has access to the plain text content of user files

ebookGet the eBook to see full comparison

Chat