Processing personal data correctly in the cloud – a matter of trust

So what can you store in US cloud services, what must you store in European solutions, and to what issues must your organisation pay particular attention? Getting the right answers to these questions is increasingly important now in the light of, amongst other things, a ruling in the European Court in the summer of 2020. The ruling is known as Schrems II after the Austrian lawyer, Max Schrems, who took Facebook to court for the second time. In brief, Max Schrems complained that his personal data on Facebook was being transferred to US servers and that the data was consequently not protected in accordance with the EU’s fundamental rights.  

The European Court ruled in Max Schrems’ favour: personal data in EU countries shall not, as a principal rule, be transferred to a so-called third-party country, i.e. countries outside the EU/EEA. The ruling also clarified the legal requirements for Swedish companies and organisations with regard to personal data and GDPR, according to Alexander Kotka, DPO at Iver.

“Swedish companies, municipalities, and authorities can absolutely use cloud services. But the key is which cloud services they can use – and for what,” says Alexander, and adds,

“If there are no personal data involved, then using cloud services from the big global operators is not a problem. But when it comes to HR systems which contain information about employees, for example, or to an authority’s personal data – that information has to be stored in Europe.

”The clarification of the Directive also means that personal data management and how well a company or organisation complies with GDPR has become a matter of trust,” notes Alexander.

“We are of the opinion that if a company doesn’t take laws and directives seriously and starts storing personal data correctly, trust in them will plummet. The way we usually put it is, ”Can you afford not to comply with GDPR?” because if you neglect this side of things, the losses – in terms both of trust in your company and in number of customers – can happen really quickly.”  

Iver’s Compliant Cloud is a cloud service that addresses these specific issues, because Compliant Cloud is a cloud with built-in regulatory compliance. The service is provided from Iver’s security classified data centres in Sweden, Norway, and Europe, and is designed for authorities and organisations with particularly stringent regulatory requirements when it comes to security and data storage.

Alexander’s advice to clients, when it comes to ensuring well-thought out and smooth, full-service solutions in this field, is to start from the bottom up and link the issue of GDPR and personal data to the organisation’s overall cloud strategy.

“A robust cloud strategy needs to answer questions about what will be transformed, which cloud is suitable for a given application or service, and finally, how we go about it. Risk analyses and information classification – how different types of data should be processed and stored – are the alpha and omega here. They need to be included right from the very start so that we can ensure that regulatory compliance and personal privacy are built into both the strategy and the solution, and so that you avoid the risk of expensive “after the fact” constructions,” concludes Alexander.