How does GDPR impact digital preservation solutions in the Cloud?

Inside and outside of Europe, everyone is talking about the General Data Protection Regulation (GDPR) and what it means to their organization. Like most conferences we have recently attended, it was high on the agenda at 'ARMA Live!' in the US. Whether you are a hare or an ostrich in your readiness, GDPR needn’t be just a deadline viewed with trepidation. If approached positively it provides an opportunity for long-term improvements in your records management, digital preservation and operations in the cloud.

There’s already a lot of general information for controllers on how to prepare for GDPR, but after my own investigations I thought it might be helpful to provide some assistance for anyone who uses [or is thinking of using] the cloud for long-term digital preservation and is unsure how they can meet their GDPR compliance requirements, after all that’s a lot of what we do in Preservica.

First of all, the cloud. The GDPR article 28 states controllers "shall use only processors providing sufficient guarantees to (...) meet the requirements of this Regulation", so your choice of vendor(s) is critical to meeting your own obligations. But what if your chosen processor uses another processor whose service is in the cloud and does that make it harder for you to comply? This question is very important to us, as it is how we offer Preservica Cloud Edition. Our cloud solutions are hosted by Amazon Web Services (AWS) and there is good news here for anyone using a processor on AWS. The GDPR makes provision to ensure any further processors engaged with your information must contractually or legally meet the same data protection guarantees. Consequently, AWS has already stated their position that “all AWS services will comply with the GDPR when it becomes enforceable on May 25, 2018”.

Holding information in the cloud may also raise questions about territorial scope and transfers of personal data. It’s important to note that transfers outside of the EU are allowed but you should pay careful attention to how your processor meets the transfer obligations of articles 44-46. As an example, AWS provides a GDPR Data Processing Agreement to help address these requirements.

Now to digital preservation. Solutions, such as Preservica, ensure valuable digital information can be found, used and trusted for decades or longer, and this valuable information may well include personal data. The GDPR applies only to the personal data of living people so if you are a museum preserving a large collection of very old historical records it is unlikely to be considered within the scope of the regulation. But if your museum, library or archive has records with recent or current personal data that you want or need to keep for the long-term, then all controller requirements apply. These can include information of historical interest as well as important institutional documents which your organization may hold, such as staffing and donor records. If your business is in a highly regulated industry such as finance or pharmaceutical, then the scope of relevant information is even greater.

The regulation focuses on the ‘right to access’ through to preventing ‘accidental or unlawful destruction’ and this last point is very significant. Although many GDPR discussions refer to the ‘right to be forgotten’, it is also critical to ensure valuable information is preserved and protected for the long-term, when appropriate or required to do so. So, a digital preservation controller and processor may now need to comply with all of the GDPR obligations as well as meeting the needs of protecting and preserving information for the long-term. Fortunately, these requirements are not mutually exclusive. Preservation of digital information, the GDPR and best-practice information governance share many of the same principles and this is a topic I will be exploring in more detail soon.

In conclusion, the GDPR can be a positive driver for successful long-term preservation of information which includes digital preservation and when using a SaaS provider in the cloud. Preparing for GDPR means you will need to understand the information you hold a little better, but that means you can use it more effectively. At the same time, you can have more confidence in the accountability and security of those you choose to engage.

I am pleased to say Preservica customers can be confident that any personal data held in our cloud hosted services will be processed lawfully, meeting our requirements as a processor and helping you meet your GDPR obligations.

Gareth