Who is Responsible for Data Protection Compliance in the Cloud
In Russia, the law “On Personal Data” (No. 152- FZ, dated 27 July 2006) protects personal data of citizens. For companies this means that in order to collect, process and store data about employees, customers, website visitors, etc., you need to obtain their consent, and the data should be stored in Russia. Otherwise, a company will be fined. If an organization use cloud to store personal data, its protection and privacy are often considered risksy. In the article we discuss how to comply with the requirements of the regulator, what responsibility is imposed on the personal data operator and provider, what should you know when choosing a cloud provider.
Personal Data in the Cloud – responsibilities of providers and operators
Before moving the database with PD to the cloud, you need to understand the responsibilities of an operator and a cloud provider. If you work with personal data of Russian citizens (e.g. website users who can register on a website, leave a request, place an order, etc.), then you are an operator.
According to Article 3 of the Federal Law "On Personal Data":
The operator – the state body, municipal authority, legal or physical person, independently or together with other persons organizing and (or) carrying out processing of the personal data, and also defining purposes of processing of the personal data, composition of the personal data which are subject to processing, actions (operations), made with the personal data.
The first thing the operator has to do is to decide what data he will store in the cloud.
Data operator's responsibilities:
To determine the current threats and the level of security of the information system of personal data.
Determine the security measures necessary to protect against current threats.
To build a private model of actual threats for the enterprise.
To implement the system of protection in own segment of information system.
Make sure that the selected cloud provider has all necessary licenses (FSB, FSTEC).
Cloud Provider’s responsibilities
The responsibilities of the provider include the following:
To obtain licenses of FSB, FSTEC, as well as a license of the Ministry of Communications, if telematics services are provided.
Identify the type of current threats and the maximum level of security for the cloud.
Build a private threat model for the cloud.
Implement protection based on the developed model.
Allow the operator to deploy additional security features.
Help the customer to implement protection measures in their specific case.
Tips for Choosing Cloud Provider
When it comes to storing personal data in cloud, obviously may arise a question regarding safety. Is it safe to store data in the cloud? Before choosing a cloud provider, you should assess the risks associated with information security hazards and their potential impact on your business.
You might consider the following risks to your data in the cloud:
weak security measures that compromise data protection
malicious activities targeting service provider (viruses, hacker attacks)
human factor – unauthorized access, data loss or damage by provider.
Cloud provider must be able to give information regarding the level of security they ensure in the cloud, indicating the type of current threats to be neutralized. It is better to ask the provider to show document confirming the external audit by an independent auditor. In addition, provider should have a threat model for the secure segment of the cloud and, if necessary, introduce it to the client, including a description of measures and ways to neutralize current threats.
Another important indicator is the reliability of provider’s datacenter. However, if your provider does not have the necessary licenses, then from the point of view of legislation, it will not be possible to protect personal data.
Cloud provider should have the following licenses:
FSB license – for design, supply of encryption systems, operation and maintenance of information and telecommunications systems with cryptographic data protection, lease of communication channels and systems with encryption protection.
FSTEC License – for activities on technical protection of confidential information.
In addition, it is important to consider how backup and recovery are provided. Cloud provider must be prepared to provide a certified crypto gateway as an additional or basic service.
Cloud4Y service Federal law 152-fz cloud is tailored specifically to international companies that need to store or/and protect personal data in Russia in accordance with the law (242-FZ, 152-FZ). Our cloud infrastructure is proven to secure PD from 19 types of threats mentioned in the Federal Law 152 FZ and is certified with the FSTEK and Federal Security Service.