Oracle Cloud Infrastructure and the GDPR

Yuecel Karabulut
Director of Product Management

I’m Yuecel Karabulut, a Director of Product Management for the Oracle Cloud Infrastructure Security & Compliance team. I want to tell you about the work that the Oracle Cloud Infrastructure team is doing to help customers with the General Data Protection Regulation (GDPR), as part of our continued commitment to help ensure they can comply with European Union (EU) Data Protection requirements.

The EU GDPR is a new, comprehensive data protection law that goes into effect on May 25, 2018. It applies broadly to organizations based in the EU and elsewhere that collect and process the personal information of individuals residing in the EU.

Oracle Cloud Infrastructure is an Infrastructure as a Service (IaaS) product in which responsibility for security is shared between Oracle Cloud Infrastructure and the customer. For details, see the Oracle Cloud Infrastructure Security white paper

Enterprise need scalable, hybrid cloud solutions that meed all their security, data protection, and compliance requirements. To meet this need, Oracle developed Oracle Cloud Infrastructure, which offers customers a virtual data center in the cloud that allows enterprises to have complete control with unmatched security. 

Oracle Cloud Infrastructure offers best-in-class security technology and operational processes to secure its enterprise cloud services. However, for customers to securely run their workloads in Oracle Cloud Infrastructure, they must be aware of their security and compliance responsibilities. By design, Oracle provides security of cloud infrastructure and operations (cloud operator access controls, infrastructure security patching, and so on), and customers are responsible for securely configuring their cloud resources. Security in the cloud is a shared responsibility between the customer and Oracle. Likewise, privacy compliance is also a shared responsibility between Oracle and the customer. We've recently published a GDPR white paper that explains some of this shared responsibility in the context of the GDPR and Oracle Cloud Infrastructure.

The GDPR defines three key actors:

  • Data subject: An individual whose personal data is gathered and processed by the controller

  • Controller: An entity that determines the purposes and means by which the data is processed

  • Processor: An entity that only processes data at the controller’s command

Generally speaking, Oracle Cloud Infrastructure handles two types of data in the context of its interactions with its customers:

  • Customer account information: Information needed to operate the customer’s Oracle Cloud Infrastructure account. This information is primarily used to contact and bill the customer. The use of any personal information that Oracle gathers from the customer for purposes of account management is governed by the Oracle Privacy Policy. With customer account information, Oracle Cloud Infrastructure acts as a controller in this narrow instance. 

  • Customer services data: Data that customers choose to store within Oracle Cloud Infrastructure, which may include personal information gathered from data subject users. Oracle does not have insight into the contents of this data or the customer’s decisions regarding its collection and use. Additionally, it is important to note that Oracle does not have a direct relationship with the data subject users. In this situation, the customer is the controller and manages the data. Oracle Cloud Infrastructure is the processor that acts on the commands of the customer.

The Oracle Cloud Infrastructure GDPR white paper focuses on customer services data and any personal information that it may contain from the customer’s data subject users.

GDPR Article 5 defines “principles related to processing of personal data.” In this regard, personal data must be:

  • Processed lawfully, fairly, and transparently

  • Collected and processed for a limited purpose (purpose limitation)

  • The minimum amount necessary for the purpose (data minimization)

  • Accurate

  • Stored only as long as necessary (storage limitation)

  • Processed securely (integrity and confidentiality)

The Oracle Cloud Infrastructure GDPR white paper outlines how Oracle Cloud Infrastructure and its customers allocate or share the responsibilities for some of these principles. More specifically, the paper does a great job of explaining how customers can use Oracle Cloud Infrastructure security processes, services, and features to meet the requirements of the GDPR, including services for auditing, authentication, administrative access controls, network security controls, isolation, high availability, and encryption.

Oracle’s mission is to build cloud infrastructure and platform services where Oracle customers have effective and manageable security to run their mission-critical workloads and store their data with confidence and meet their regulatory requirements. As we head toward May 2018, we will continue to assist our customers in answering their GDPR-related questions and help them comply with the GDPR.    

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.