This is a guest blogpost by Julian Box, CEO, Calligo.
The prospect of ambulance-chasing lawyers interesting themselves in the General Data Protection Regulation (GDPR) is now very real.
With just a few months to go before the European Union’s landmark set of regulations comes into force next May, any business storing or processing customer data in the cloud needs to consider the advantages of being able to demonstrate the steps it is taking towards compliance.
Given the rights that European citizens will have under GDPR to interrogate organisations about how their data is being handled, no-win, no-fee lawyers are likely to be very interested in any instance of non-compliant data-handling. With so many organisations hoarding data in the hope that one day some of it will be valuable, the dangers are substantial.
Mistakes are easy
On a day-to-day level it is very easy for small and mid-size organisations to fall foul of the new rules. Few realise, for example, that the CV of an unsuccessful job applicant should be deleted if no explicit consent for the file’s retention is obtained. This is because the data is no longer relevant under the terms of the GDPR.
In too many cases, businesses still lack a suitable mechanism for answering subject requests about data. We have already seen incidents where a request about personal data under existing legislation has resulted in an unedited swathe of data being transferred, compromising the privacy of many other individuals.
Even cyber risk insurance is unlikely to cover the potentially immense costs of being in breach of the GDPR, which include penalties of up to four per cent of global turnover, along with the financial drain of having to make financial redress to the individuals affected.
Compliance will be a real commercial differentiator
There is however, every reason to be optimistic. As awareness grows of the obligations imposed by GDPR, businesses and supply chain partners that demonstrate the steps they have taken to achieve compliance will not only be in a better position with the regulators, they will also give themselves a significant commercial advantage. This is bound to become particularly acute for organisations entrusting substantial amounts of personally-identifiable data to the cloud where they run their applications.
It is true there are already a number of standards that apply to cloud, and which organisations can insist on even though they are not specific to it, such as ISO27001, PCI compliance and Sarbanes-Oxley Act compliance (or SOX) for example. There are also those specifically related to the cloud, such as CSA STAR.
But to demonstrate that GDPR-compliance is being addressed directly and comprehensively, an organisation utilising a cloud provider needs to ensure that there is a legal contract defining the restrictions around the key Data Controller and Processor relationship concepts of the new regulation.
The speed of adoption and expansion of cloud has meant many organisations enjoying its benefits do not fully understand how much of its resources they are consuming, both from SaaS solutions and also from their gradual accumulation of IT and dev-ops initiatives. In the age of the GDPR this is a reckless position to be in.
As more and more tech companies embrace subscription-style services based in the cloud, the need to act in compliance with the regulation becomes ever more urgent. The GDPR demands that organisations have far better understanding and supervision of their cloud footprint (and indeed their private infrastructures and data-sets).
The point here is that while there is no single, magic tool that will sort out compliance for an organisation, there are steps that can be taken. It is a question of sorting out data governance now and building in a privacy-by-design approach to the cloud.
Find the best hands-on provider
Businesses must take informed advice from hands-on experts about what is compliant and adapt the processes and workflows accordingly, using the applications and technologies that are available from cloud-providers offering genuine performance guarantees. It is no small task for a mid-tier business, but it is perfectly achievable.
If an organisation has a cloud provider that is clearly expert in GDPR compliance and operates to best-practice standards, it will be able to demonstrate it has taken all reasonable steps and implemented the appropriate technological advances, as GDPR requires. In the event of a security breach (as opposed to a failure of compliance) this is likely to be a significant factor in the minds of regulators, reducing any penalties.
It is not just a question of living in fear of hungry lawyers or super-vigilant regulators either. There are immense cost and efficiency benefits to be derived from having better data stewardship. Everybody handling data should take note.