GDPR and Cyber Security: Putting Data in the Cloud
Understanding what platforms to collaborate through
(This article was published in a previous iteration of the OCSRC website in July 2018. It was written in collaboration with Piers Clayden of ClaydenLaw.)
Small businesses don’t know which parts of the cloud are secure enough to collaborate through.
Small organisations with neither premises nor IT equipment have something else in common: a need to exchange files. The cyber security industry has done an excellent job of telling them that email probably isn’t secure enough for lots of the things they use it for... but we didn’t provide them with an alternative.
Some small businesses aren’t going to fork out £100 each for solutions such as Office 365 and charities' volunteers are very unlikely to want to absorb software costs on behalf of an organisation.
Nobody understands enough of the Ts&Cs to compare Drive with Dropbox (let’s face it, who reads those things before they agree?!), although both are probably more secure than an individual's own devices. Some voluntary organisations end up using ‘secret’ Facebook groups to exchange files in the same way that others use Microsoft SharePoint...
So what terms and conditions does Piers Clayden expect these small organisations be looking out for?
“These kinds of tools all involve the storing and processing of personal data outside of the organisation – as such they will be “processors”. Organisations should only use service providers who have demonstrated to the organisation’s satisfaction that they have given sufficient guarantees that they can comply with the GDPR.
“The buck will stop with the customer (the charity or micro organisation) rather than the service provider where there is a security breach and the customer is unable to show they have done sufficient due diligence on the provider.
“The GDPR also mandates that the agreement between the organisation and the provider contains certain provisions dealing with, amongst other things, following the customer's instructions, sub-contracting, export of personal data outside of the EEA, and enabling the controller (the customer organisation) to comply with its own GDPR obligations.”
These requirements are particularly pertinent when compared with the experience with service providers I blogged about in an earlier article – sometimes a contract is so small that service providers don't feel obligated to even answer cyber security enquiries.
What look like trivial or farcical problems in a larger organisation may ultimately paralyse SMEs or small groups of volunteers, damaging businesses and community resources.
Ultimately, the security of big brand platforms are usually pretty good... They really don't want millions of unhappy customers. However, if they're offering people something for free it's likely that they'll be using your data as part of the deal... Which is fine when individuals are making decisions about where to store their own personal data. People making this decision for other people when they work or volunteer need to be more cautious and to understand what decisions they're making for others, who may value their privacy differently. They're going to have to start reading the Ts&Cs more carefully.
Being realistic, micro organisations need to assess their risk and decide which solution they can live with, even when it seems like there's no perfect solution. No cyber security decision is ever perfect. However, making it difficult or impossible for employees to exchange information will result in them finding an easier more risky way... Probably using one of those platforms the business decided wasn’t secure enough.