Operational sovereignty in personal data processing in cloud environments

The AEPD highlighted that even when organisations store data in the EU, data storage may still depend on centralised services (such as identity management, DNS or encryption key management) located outside of the EEA. An issue with these services may compromise the ability to process data in the EU, including system availability and resilience, potentially resulting in a breach of Article 32 GDPR (security of processing) and impacting the rights and freedoms of data subjects.

To mitigate this risk, the AEPD suggests that controllers using cloud services: 

• review their data protection impact assessments (DPIAs) to ensure they consider the risk and impact of cross-border dependencies on the availability of their services; 
• ask their third party service providers to provide information on the location of their own resources; 
• design systems that are capable of keeping critical functions operating during any failure with the centralised services required to operate them; and
• consider whether to use multi-cloud or hybrid services to avoid single points of failure.

The AEPD notes that these measures align with the GDPR’s accountability principle, which requires controllers to identify, assess and mitigate risks associated with critical technological dependencies.

The article is available here.