GDPR means businesses must show they are serious about cloud data privacy

This is a guest blogpost by Julian Box, CEO, Calligo.

The prospect of ambulance-chasing lawyers interesting themselves in the General Data Protection Regulation (GDPR) is now very real.

With just a few months to go before the European Union’s landmark set of regulations comes into force next May, any business storing or processing customer data in the cloud needs to consider the advantages of being able to demonstrate the steps it is taking towards compliance.

Given the rights that European citizens will have under GDPR to interrogate organisations about how their data is being handled, no-win, no-fee lawyers are likely to be very interested in any instance of non-compliant data-handling. With so many organisations hoarding data in the hope that one day some of it will be valuable, the dangers are substantial.

Mistakes are easy

On a day-to-day level it is very easy for small and mid-size organisations to fall foul of the new rules. Few realise, for example, that the CV of an unsuccessful job applicant should be deleted if no explicit consent for the file’s retention is obtained. This is because the data is no longer relevant under the terms of the GDPR.

In too many cases, businesses still lack a suitable mechanism for answering subject requests about data. We have already seen incidents where a request about personal data under existing legislation has resulted in an unedited swathe of data being transferred, compromising the privacy of many other individuals.

Even cyber risk insurance is unlikely to cover the potentially immense costs of being in breach of the GDPR, which include penalties of up to four per cent of global turnover, along with the financial drain of having to make financial redress to the individuals affected.

Compliance will be a real commercial differentiator

There is however, every reason to be optimistic. As awareness grows of the obligations imposed by GDPR, businesses and supply chain partners that demonstrate the steps they have taken to achieve compliance will not only be in a better position with the regulators, they will also give themselves a significant commercial advantage. This is bound to become particularly acute for organisations entrusting substantial amounts of personally-identifiable data to the cloud where they run their applications.

It is true there are already a number of standards that apply to cloud, and which organisations can insist on even though they are not specific to it, such as ISO27001, PCI compliance and Sarbanes-Oxley Act compliance (or SOX) for example. There are also those specifically related to the cloud, such as CSA STAR.

But to demonstrate that GDPR-compliance is being addressed directly and comprehensively, an organisation utilising a cloud provider needs to ensure that there is a legal contract defining the restrictions around the key Data Controller and Processor relationship concepts of the new regulation.

The speed of adoption and expansion of cloud has meant many organisations enjoying its benefits do not fully understand how much of its resources they are consuming, both from SaaS solutions and also from their gradual accumulation of IT and dev-ops initiatives. In the age of the GDPR this is a reckless position to be in.

As more and more tech companies embrace subscription-style services based in the cloud, the need to act in compliance with the regulation becomes ever more urgent. The GDPR demands that organisations have far better understanding and supervision of their cloud footprint (and indeed their private infrastructures and data-sets).

The point here is that while there is no single, magic tool that will sort out compliance for an organisation, there are steps that can be taken. It is a question of sorting out data governance now and building in a privacy-by-design approach to the cloud.

Find the best hands-on provider

Businesses must take informed advice from hands-on experts about what is compliant and adapt the processes and workflows accordingly, using the applications and technologies that are available from cloud-providers offering genuine performance guarantees. It is no small task for a mid-tier business, but it is perfectly achievable.

If an organisation has a cloud provider that is clearly expert in GDPR compliance and operates to best-practice standards, it will be able to demonstrate it has taken all reasonable steps and implemented the appropriate technological advances, as GDPR requires. In the event of a security breach (as opposed to a failure of compliance) this is likely to be a significant factor in the minds of regulators, reducing any penalties.

It is not just a question of living in fear of hungry lawyers or super-vigilant regulators either. There are immense cost and efficiency benefits to be derived from having better data stewardship. Everybody handling data should take note.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px 'Helvetica Neue'; color: #454545} span.s1 {color: #e4af0a}

I think not many companies are prepared for the changes that will be taking place, having a medium sized business in the finance sector myself through networking I know owners of many other companies. When the talk turns to GDP many of them aren’t even aware of the impact it will have on their business and despite being in the news for months don’t think it will be affecting them. I think it is very important to firstly educate yourself on the changes and then find yourself and work with an experienced cybersecurity firm, we chose to go with http://www.nasstar.com/ mainly as when looking for  a firm they had a great deal of experience in the finance sector and have so far been great in advising us and getting us ready for the steps we need to take to comply with the new changes.

Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close