Compliance and the cloud – developing a GDPR strategy

May 2018  |  FEATURE  |  DATA PRIVACY

Financier Worldwide Magazine

May 2018 Issue

The General Data Protection Regulation (GDPR) will have a significant impact on data protection governance in the European Union (EU). It will strengthen data protection rights for individuals, while imposing restrictions on the transfer of personal data outside the EU to third countries or international organisations.

The financial penalties for non-compliance are significant. The GDPR will levy a fine of up to 4 percent of a company’s global turnover or €20m, whichever is higher. While the fines are substantial, they reflect the significance attached to data protection in the modern context. GDPR is an important upgrade on previous data protection legislation in the EU, the Data Protection Directive, and given its implementation date of 25 May 2018, companies should now be fully prepared for the new regime.

Achieving GDPR compliance will be complex and challenging. Companies must develop a robust strategy. Moreover, GDPR compliance is not a one-time event; companies must remain compliant, which may require a re-think of their data storage capabilities.

The way data is stored has been revolutionised over the last decade with the rapid uptake of cloud computing services and applications. This is expected to continue. According to Cisco, the data stored in data centres globally will nearly quintuple by 2021 to reach 1.3ZB. The cloud is seen as an upgrade to many companies’ data security practices and data protection standards. It may also allow for better optimisation of IT resources, as well as providing greater flexibility at a reduced cost. Yet while the cloud is increasingly attractive for many organisations, it too will be heavily impacted by the GDPR. As a result, service providers must understand and comply with all aspects of the Directive.

According to the Netskope ‘Cloud Report’: businesses that use cloud services must ensure that their third-party provider’s data practices are compliant with GDPR. This a tough task when European enterprises reportedly use an average of 608 cloud apps. “Organisations underestimate this figure by about 90 percent. This is shadowed IT in a nutshell, and of course raises the question of how cloud-consuming organisations can ever hope to comply with the GDPR if they don’t know 90 percent of the apps people are using.”

GDPR compliance is not a one-time event; companies must remain compliant, which may require a re-think of their data storage capabilities.

“Cloud services have made business units like human resources and marketing more agile and productive, but at the same time the data in those cloud services needs to be safe from loss,” said Sanjay Beri, CEO and founder of Netskope. “Businesses must ensure compliant usage of cloud services. This means introducing contextual, activity-level policies, as well as deterring all employees from non-compliant actions such as uploading sensitive data to unsanctioned, user-led cloud services.”

Not all cloud providers have compliant data practices in place, however. Only 1.2 percent give users encryption keys that the customer manages. Furthermore, just 2.9 percent have secure password enforcement which meets the required GDPR standards, according to Netskope.

Companies utilising cloud services must take a number of steps if they wish to comply with GDPR. First, they must identify the cloud applications and service providers they are utilising. Given the sheer volume, this may be difficult. However, it will allow companies to determine where their data is being housed. The physical location of the service provider’s data centres will be critical under the GDPR. If the service provider is storing information in a data centre outside the EU, it will need to ensure that there are binding corporate rules in place to keep the data compliant.

Once the data has been located, companies (considered ‘data controllers’ under GDPR), should execute a data processing agreement with their service providers. Under the GDPR, ‘data controllers’ may only work with ‘data processors’ that provide “sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of [the GDPR] and ensure the protection of the rights of the data subjects”. Data processing agreements between processors and controllers should take the form of a written contract which stipulates that the third-party business will processes personal data on behalf of the other. The agreement must set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data to be processed, the categories of data subjects and the obligations and rights of the controller.

GDPR will be a ‘game changer’ for companies. It will revolutionise the way organisations approach their data management strategies. It is also an opportunity for data security transformation. Not only must companies know what data they are storing and where it is stored, they must be familiar with the measures their cloud providers have in place to protect and secure it. They should know if their cloud provider has a privacy policy and a data protection officer overseeing their operations. They must also ensure that breach notification and response measures are in place at their service provider. Failure to pursue these measures may be costly for both the processor and the controller.

© Financier Worldwide

BY

Richard Summerfield

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.