What are critically important points regarding your personal data in the cloud?
- What are Cloud compliance and a cloud service which is future-proof (unlikely to become obsolete)?
- Storing your personal data in the cloud – how is this affected by the GDPR and the Cloud Act?
- How best to secure cloud compliance as an iGaming operator?
- A useful checklist to ensure that your personal data in the cloud is handled correctly
Cloud Compliance – future-proof cloud services
Since early 2020, businesses have been compelled to readjust to the new normal. For most this means that they can no longer count solely on land-based businesses as their principal source of revenue. This has led to an explosion of online activities, which require an ever-higher degree of security for one’s private data. As the tech world has blossomed so has the concept of improved security. The cloud offers almost unlimited opportunities, but we all have to future-proof our businesses through innovation. This means evaluating all risks, staying up to date with all legal aspects, and protecting our companies and their systems from uncertainty and vulnerability.
The effects of GDPR and the Cloud Act on the storage of your personal data in the cloud
As most businesses move their IT environment to the cloud, they seek out reliable cloud services. All of your most precious personal data in the cloud remains in the hands of your cloud service provider. That is why we must delve into the implications for your personal data in the cloud as regards the EU-common GDPR as well as the U.S. Cloud Act.
The GDPR
In EU law the General Data Protection Regulation, or GDPR, has been in effect since 2018, overseeing the privacy and protection of data within the EU and EEA. It indicates the basic rules relating to how this data must be managed by all companies and organizations. This data is defined as all information that directly or indirectly relates to or identifies any living person. The GDPR’s primary goal is to guarantee all EU citizens’ rights to personal privacy and their control over all such sensitive information.
One must bear in mind that it is permissible to shift personal data in the cloud from one EU country to another, given that the legislation is valid for all nations within the defined area. Furthermore, in order to transfer personal data in the cloud to countries that fall outside of the EU, either the external country must be EU-approved or have in place a separate agreement that ensures the protection of the data as stipulated by the GDPR.
The Cloud Act
The Cloud Act (Clarifying Lawful Overseas Use of Data), also introduced in 2018, is a U.S. law that not only protects individual data privacy but also allows U.S. authorities, under specific crime-related circumstances, to request and access all necessary data from any U.S. cloud service provider. This applies not just within American territory, but also to data kept outside of its borders, for example in the EU. The CLOUD Act permits the U.S. government to even establish bilateral agreements with other countries in order to allow law enforcement agencies the chance to exchange and access relevant data between one another.
Privacy Shield
The Privacy Shield was a structure accepted by both the EU and U.S. governments which enforced compliance with the EU data security requirements when, for commercial purposes, personal data in the could be transferred between the United States and the European Economic Area (EEA). One of its purposes was that of enabling U.S. companies greater access to private data from EU entities that fell under EU privacy laws, designed to protect its citizens. In July of 2020, the CJEU (Court of Justice of the European Union) invalidated the Privacy Shield through the Schrems II case, due to a lack of sufficient protection of the data transferred between the two continents.
What effects does this have on iGaming?
After the repealing of the Privacy Shield, a potential discord between the GDPR and CLOUD Act regulations has become a major concern. This comes down to potentially major legal issues faced by companies and organizations in the EU which choose to store data with U.S. cloud providers, who are subject to their local legislation.
The problem is that when U.S. authorities require the disclosure of personal data in the cloud as per the Act, it is in direct contravention of the GDPR laws, except where a separate agreement has been established. Even if the servers of a U.S. cloud provider are located in the EU, they are nonetheless governed by the CLOUD Act and therefore could be compelled to disclose their data to U.S. authorities.
A lot of iGaming entities in Europe still store their data with one of several major U.S. cloud companies like Google Cloud, AWS, or Microsoft Azure. This introduces the risk of encountering legal issues as regards the management of personal data in the cloud. The obvious solution is to keep your data with a European-based provider, ensuring a more secure and future-proof cloud service. This means that such storage falls within the GDPR framework, where no other country can intervene or contradict EU legislation.
A quick look at this recent report on data protection, published by Norton Rose Fullbright (a top source for keeping up to date, regarding the business impact of cybersecurity as well as global data privacy and protection), highlights the relevance of this issue:
“European Regulators found that the CLOUD Act could cause service providers to face a conflict between complying with U.S. law and complying with the personal data in the cloud protection required by the General Data Protection Regulation (GDPR) and other EU laws. They pointed to Article 48 of GDPR, ‘transfers or disclosures not authorized by Union law.’ That Article provides that a foreign court or agency’s order to a data controller or processor – such as a service provider – to transfer data ‘may only be recognized or enforceable in any manner if based on an international agreement, such as a Mutual Legal Assistance Treaty (MLAT) …”
“Because the CLOUD Act specifically contemplates court orders/warrants requiring the transfer of personal data without an MLAT, the European Regulators concluded: ‘service providers subject to EU law cannot legally base the disclosure and transfer of personal data in the cloud to the U.S. on such requests.’ … Their clear preference is for such disclosures to be made under a MLAT where ‘data is disclosed in compliance with EU law and under the supervision of the courts in the EU”.
How an iGaming operator can achieve secure personal data in the cloud compliance
Obviously, the iGaming industry relies enormously on the use of consumer data, especially regarding marketing and the development of new products. The future legal system will therefore call for substantial changes.
In many cases iGaming players are high-net-worth customers whose privacy is very valuable, presenting the unpleasant risk of major damage to the reputation of operators who do not fully understand all the implications of this new reality. Irrespective of your company’s choice of cloud service, whether hybrid, public or private clouds, a full understanding and compliance with the new regulations is essential. Achieving this will require a high level of commitment and dedication from both your business and your chosen cloud service provider. This is further complicated by the regular changing and updating of these guidelines.
There are, however, several key factors that can guarantee a secure and reliable cloud service, which we will delve into here. First and foremost is the importance of understanding the iGaming-related regulations applying to your company and the type of data that you wish to keep stored in the cloud. This includes the GDPR which oversees the managing of personal data in the cloud, and other rules regarding matters like how to handle all data relating to credit cards and payments, or those linked to individuals and companies’ financial information. Only by understanding which specific rules apply to the data handled by your business can you find the ideal provider which meets the relative requirements.
The second rule of thumb is to keep complete control over data security in your business. The principal causes of data intrusion are the lack of continual verification for logging in as well as badly managed routines when it comes to who can or should have the ability to access the data. An effective and trustworthy provider must guarantee the strict implementation of all relevant security protocols.
Thirdly, one must be prepared in case of a compliance review. This means being able to precisely track the storage location of your client’s data, give evidence of this as well as provide an explanation of all measures that you have implemented to ensure its protection. For this reason, your cloud service provider must necessarily supply you with detailed documentation proving where their servers and therefore the data, are located. A crucial factor in legal terms is whether the servers are within or outside of the EU, and also in which country your provider is registered. Legal issues can arise from the legislation in other countries, for example when the servers belong to a U.S. provider but are physically located in the EU.
Furthermore, to determine the legally applicable levels of security that are required, one should carefully classify the exact type of data in question. Either for compliance or security purposes, one can also choose to avoid using the cloud to store sensitive data. The use of private clouds is one potential solution here, providing improved security whilst not losing the benefits offered by cloud storage. Once the data has been clearly classified one can decide which of it requires maximum protection and find support with a secure but cost-effective solution.
The fourth point to consider is the level of encryption one requires, according to the data and cloud of choice. Encryption improves the level of protection needed in the event of an eventual data breach. An important part of compliance, it is necessary to qualify or quantify the application of encryption offered by one’s cloud service provider and its application. This means that one should ensure that the provider has adequate certifications for data security, such as ISO 27001. Most breaches are associated with insiders with direct access, whether intentional or not. The expertise of your cloud hosting provider should help to prevent this risk.
Last of all, though equally important, is the follow-up. Regulatory systems and laws change frequently, particularly when it comes to those of other countries of interest. However you choose to protect your data, the organization should ensure constant control and follow-up procedures. Only in this way can you stay on top of the game, keeping to the evolving requirements so as to be confident that all company data is protected at the highest level and in keeping with all applicable laws.
In summary, here are a few keys to creating the necessary foundations for cloud compliance.
- Stay up to date with cloud storage regulations and laws, according to your iGaming business and your valued customers
- Always know the location in which your data is stored. Stay aware of which information requires extra security and make sure that all data is encrypted before it goes into the cloud
- Make use of high levels of security and remain aware of who has access to your login protocols
- Maintain rigid routines to make sure that you continually monitor and are aware of all updates to the regulations relevant to your data storage.
Keep your personal data in the cloud secure
Articles
