The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in the law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). The regulation also addresses the transfer of personal data outside the EU and EEA areas with a primary aim to enhance individuals’ control and rights over their personal data, as well as to simplify the regulatory environment for international business.
The regulation has become a model for many other national laws outside Europe, including United Kingdom, Turkey, Mauritius, Chile, Japan, Brazil, South Korea, Argentina and Kenya, among many others.
In the Cloud context, Huawei acts as a data processor, where controllers (usually the customer) using Huawei solutions, maintain control over data hosted on this infrastructure. This includes security configuration controls for handling end-user contents and personal data.
Then, Huawei only processes personal data as instructed by the data controller. This gives the data controller (end user) full control on his/her data hosted on Huawei Cloud which ensures privacy protection through 3 phases.
Privacy protection from solution design
By default, privacy protection requirements are incorporated into the development life-cycle from the early stages of Huawei Cloud products and solutions.
From concept, external privacy protection requirement analysis is performed to meet customer privacy protection requirements, privacy protection requirements in target markets and best privacy protection practices in the industry.
At the design stage, privacy protection risk analysis and design ensures that PIA and PbD incorporated into a spoofing, tampering, repudiation, denial of service, elevation of privilege (STRIDE) threat analysis model, also compliance with privacy protection guidelines is considered during the planning phase.
To test the quality of service (Qos), privacy protect testing undergoes a series of tests on products including solution, cases and verification tests in addition to Independent protection acceptance by the independent cyber security lab (ICSL) before product release.
Completed the rectification for 27 product versions before GDPR enforcement. After GDPR enforcement, all product versions must strictly follow the requirements.
Privacy Protection Guidelines has released 4 versions on an Annual Basis.
Privacy protection from process design
By process design, Huwei Cloud set up a top down governance architecture to ensure effective execution and supervision of activities. Led by the Global cyber security and user privacy protection committee chaired by a Rotating chairman, the global cyber security & privacy officer (GSPO) ensures privacy, security and legal affairs are tabled to meet industry standards.
Data Subject Rights are protected by developing explicit management requirements, processes and unified IT systems (PDMR). These include the right to know, access, receitifcation, erasure, restriction of procession, data portability, object, automated decision-making and profiling.
The process includes service level agreement (SLA), request acceptance, handling, result feedback and request closure before redirection to the IT platform.
On the frontend users can submit questions about personal data on the Huawei official website. Each background function has dedicated personnel to handle user questions within a specified time, ensuring that all requests can be handled within the legally stipulated period.
Also Huawei has developed 12 types of deterministic push down automaton (DPA) and due deligence (DD) templates based on the categories and delivery scenarios of GDPR suppliers. As per GDPR requirements, all GDPR suppliers involved in the cooperation with Huawei must sign the DPAs and conduct DD to compliance with GDPR to process personal data.
Privacy protection via a range of technologies
HUAWEI CLOUD customers have access to a range of privacy protection technologies, these include, access control and identity authentication, data encryption, log and audit, and related privacy enhancing technologies (PETs).
PETs include equivalence class, differential privacy, anti-tracking, blockchain-based private payment, privacy-preserving computation, data masking, searchable encryption, among other technologies.
The HUAWEI CLOUD cyber security and privacy protection capabilities are widely recognized around the world. So far, the cloud computing platform has earned certifications from more than 10 global organizations, these include the Payment Card Industry Data Security Standard (PCI DSS), CSA Star Cloud Security, AICPA certifications, SOC 1 Type II Report, SOC 2 Type II Report, SOC 3 Report and ISO certifications 2015,2017,2019.
In summary, Huawei Cloud is a GDPR compliant service provider that not only ranks 5th in the cloud computing market, but now offers global customer privacy protection for every service and server instances hosted on the platform.
A Report by Mr. John – Huawei Uganda Global Cyber security & Privacy Officer (GSPO)