Cloud services are widely used in the public sector, but data protection concerns can hamper their use. This article explains the recommendations made by the European Data Protection Board (EDPB) for using cloud services in compliance with the General Data Protection Regulation (GDPR).
Cloud Services as a Solution for Data Processing in the Public Sector
Cloud services are a popular solution for many organizations and authorities for storing and processing data. However, data protection concerns can hinder cloud usage. To counter this, the data protection authorities in the EU have published recommendations for the use of cloud-based products or services in the public sector.
EDPB Recommendations for GDPR-compliant Use of Cloud Services
As Oliver Schonschek writes in his article “What to Consider When Using Cloud Services” in Computerweekly on February 15, 2023, the European Data Protection Board (EDPB) has developed recommendations for GDPR-compliant use of cloud services in a coordinated enforcement action in 2022. A total of 22 data protection authorities in the European Economic Area examined the use of cloud-based services in the public sector, reaching out to around 100 public bodies, including European institutions from various sectors. The recommendations are intended to help the public sector use cloud services in compliance with the GDPR.
EDPB recommendations include a data protection impact assessment (DPIA), clear definition of roles, processing by the cloud service provider (CSP) on behalf of the data controller, the possibility of objecting to new sub-processors, determining the purposes for the processing of personal data, involvement of the data protection officer (DPO), collaboration with other public bodies in negotiations with the CSP, review of compliance with the DPIA, ensuring that the procurement process includes all necessary requirements for compliance with the GDPR, identification of transfers in the context of routine provision of services and in the case of processing of personal data for the CSP’s own business purposes, analysis of the legislation of a third country, review of the cloud contract, and conditions for audits and certification as a basis for data transfer.
Conclusion: EDPB Recommendations Comply with GDPR Requirements
The EDPB recommendations comply with GDPR requirements and show where there is a need for data protection in cloud usage and how it can best be implemented. Organizations, especially those in the public sector, should take these recommendations into account to ensure their cloud services are secure and GDPR-compliant.
It is crucial that public bodies not only follow the EDPB recommendations when using cloud services on desktop computers, but also when using smartphones and tablets. More and more employees are using their mobile devices to access cloud services, which increases the risk of data breaches.
Organizations must ensure that all mobile devices used to access cloud services are properly secured and configured to ensure compliance with data protection policies. The use of mobile device management (MDM) systems like Cortado MDM can help by enabling public bodies to centrally manage and secure their mobile devices.
MDM systems allow organizations to enforce security policies, encrypt data on mobile devices, and lock or erase lost or stolen devices to prevent data leaks. Therefore, the use of MDM systems is an important step in ensuring that businesses and government agencies comply with the recommendations of the EDSA and the requirements of the GDPR when using cloud services on mobile devices.
To sum up, it is important for organizations and government agencies to follow the recommendations of the EDSA and all other applicable data protection regulations to maintain citizens’ trust in data privacy and ensure data protection.
Try for Free!
Discover the simplicity of mobile device management with Cortado MDM. Test free of charge and without obligation.