When it comes to the digital transformation of our workplaces, two incontestable realities emerge. First off, Cloud solutions offer exceptional services and undeniably pinpoint the future's direction. Secondly, while GDPR's continued relevance and importance are beyond dispute, its application still poses a considerable technical and governance challenge.
Over the past two years, there have been heated debates on the role hyperscalers should (or shouldn't) play in European organizations' cloud journeys. Much of these discussions were ignited by the notable Schrems II rulings, which led to restrictions on data transfers from Europe to the US — the hub of all hyperscalers.
A juggling act: Cloud adoption, GDPR compliance & European data sovereignty
It is essential for Europeans to actively participate in shaping the digital future and safeguarding sovereignty. However, individual businesses must also do their utmost to maintain competitiveness. But how? In a highly developed economy like Europe’s, competitiveness involves adopting measures that boost productivity and efficiency…We’re talking cloud technology and the topic du jour: AI.
Regrettably, public discourse around European data sovereignty has inadvertently impeded digital transformation in organizations. This delay is less about the feasibility of implementing and completing projects, but rather about the regulatory complexity that accompanies such undertakings, often surpassing many accountable boards' comfort levels.
Embracing DPIAs & understanding risk management
In terms of GDPR compliance within a cloud project, executing the typically mandatory Data Protection Impact Assessment (DPIA) often presents the most significant challenge. Here’s why: This assessment compels organizations to identify and address potential data protection risks that may arise from the project. The exercise should ideally be complemented with the applicable Transfer Impact Assessments (TIAs), depending on the specific service offering, configuration, and intended use cases.
While this tool provides considerable insights and adds value when initiating a new project, it also brings additional complexity, namely in the need for technical, legal and organizational expertise.
The complexity does not lie so much within the risk management exercise itself, but rather in the requirement for organizations to assess a cloud platforms risk from (1) a technical perspective they might not fully grasp, and (2) concerning its usage, which may not be completely outlined as the cloud technology's flexibility is one of its primary benefits.
While the GDPR encourages organizations to publish their DPIAs — which would undoubtedly be helpful — in reality, very few do. So, what can be done in the meantime? To start, maximum peer exchange and thorough desk research to identify relevant resources. Although all hyperscalers provide valuable documentation and assistance, these can be supplemented with independent resources and checked to what extent they apply to the specific case.
Expertise in action
KPMG has extensive experience conducting DPIAs, with a particular focus on Microsoft 365 migrations. Not only do we have in-depth knowledge of the tool's technological aspects and an overview of typical use cases, but we also understand the common risks from a privacy and strategic perspective, and have evaluated these risks' likelihood and impact during numerous client workshops. As our teams understand the operational ramifications of such initiatives, they are fully equipped to effectively deal with obstacles in cloud transformation projects (e.g. Microsoft 365 deployments).
What we know for certain is that the question isn't whether your organization should embark on digitalization, but rather how you should approach it. The ultimate goal? A solution that is sustainable from operational, financial, and governance perspectives. Want to know more? Reach out to our team today!