Risk management for cloud compliance with the EU general data protection regulation

Many cloud users are oblivious to the potential regula¬tory risks facing them should they be unable to comply with the EU General Data Protection Regulation (GDPR). As a result of one of the last minute changes to the GDPR last year, whereby instead of requiring reporting of a breach 'within 72 hours of the occurrence of that breach', it was changed to 'within 72 hours of discovery of a breach'. Until this subtle shift in the regulation took place, a great many companies were very focussed on cutting the time between breach and discovery. Now, a great many companies, both large and small, have breathed a huge sigh of relief, and stopped working on cutting down this time. Another change to the regulation extended the jurisdiction of the regulation from data processors located anywhere in the whole of the EU, to any data processor processing the data of any EU resident, anywhere in the world. Of course, this is only an issue if a breach takes place, but as this is no longer a case of if, but when, then companies would do well to be prepared for this inevitable certainty. For those companies who use cloud, there are additional considerations which must be taken into account, due to the Cloud Forensic Problem. This paper considers how companies should address many of the unexpected risks associated with the use of cloud in their organisations, and considers how they should go about monitoring their systems in order to get a much faster idea of who is getting into their systems, and understanding the full extent of the risks involved. Failure to comply brings serious consequences with it. Fines for a single breach can rise to the higher of €20 million or 4% of global turnover.