Only one in 100 cloud providers meet latest EU data protection requirements

Majority of cloud providers are not yet prepared to meet the requirements of the new EU data protection regulation

The vast majority of cloud providers are not yet prepared to meet the requirements of the new EU General Data Protection Regulation that will come into effect next year to replace the EU Data Protection Directive adopted in 1995, research has revealed.

Only one out of 100 cloud service providers are ready for the new data protection directive that aims to modernise the older directive to suit the needs of the internet and cloud era. 

The new directive, which could be passed in 2014 for implementation in 2015, requires data controllers (enterprises that own the data) and data processors (such as cloud providers and datacentre hosting companies) to share the liability for data breaches and violations of the law.

The proposed regulation will apply to European businesses that process personal data and businesses outside the EU that monitor EU citizens or process personal data obtained from offering goods or services to EU citizens.

But the study of more than 7,000 cloud services by security provider Skyhigh Networks revealed that suppliers have significant issues around new regulatory requirements such as data residency, data breach detection and notification, encryption and data deletion policies (the right to be forgotten).

The hefty fines will make data protection a boardroom issue and will require companies to carefully review what they need to do to comply

“It’s staggering how few cloud providers are prepared for the new EU regulations but, fortunately, there’s still time for providers to get into shape. This means addressing a number of complex issues now, such as the right to be forgotten, as well as implementing data protection policies that meet these new standards,” said Charlie Howe, European director for Skyhigh Networks.

The latest directive is aimed at strengthening consumer and business trust in Europe’s digital economy.

“For cloud providers this will inevitably require additional resources and expenditures, but it’s a snip given the proposed penalties for violating the new laws, which can be up to 5% of a company’s annual revenue or up to €100m,” he warned.

This is in stark contrast with the 1995 Data Protection Directive, which offers no guidance on penalties. The hefty fines will make data protection a boardroom issue and will require companies to carefully review what they need to do to comply, according to some experts.

The proposed law governs how organisations treat the privacy of personal data and has far-reaching implications, experts warned.

The right to be forgotten – a massive headache

One of the most well-publicised and controversial amendments to the new regulation is the right to be forgotten – where individuals have the civil right to request that personal information be removed from the internet. “It is a complex issue but, given the media interest surrounding it, one that’s unlikely to blindside cloud providers,” Howe said.

“Still, when you consider that the average organisation uses 738 cloud services, complying with this requirement presents some unique challenges. A big problem is that 63% of cloud providers maintain data indefinitely or have no provisions for data retention in their terms and conditions,” he added.

On top of this, another 23% of cloud providers maintain the right to share data with another third party in their terms and conditions, making it even more difficult to ensure all copies are deleted, the study found.

“It’s fair to say that the right to be forgotten could turn out to be a massive headache for many organisations – cloud service providers themselves and those companies using these services – it’s not just an issue for Google,” Howe said.

The study also revealed that only 11 countries satisfy EU privacy requirements around data residency.

The regulation requires that enterprises do not store in or transfer data through countries outside the European Economic Area that do not have equivalently strong data protection standards. 

The data residency requirements also apply to cloud providers with datacentres around the world, which in the normal course of operation may transfer and store data in countries that do not meet European privacy rules.

The US, where the majority (67%) of all cloud datacentres are headquartered, is not among these 11 countries.

Data residency will be a significant issue for cloud services when the new regulations come into force – especially as only 8.9% of US providers have the Safe Harbor Certification, which provides exemption to these regulations, according to Skyhigh Networks.

“A draft version of the new regulation would require organisations to notify EU regulatory authorities within 24 hours of a data breach, even if the breach occurs in a third-party cloud service. The problem arises from the fact that many cloud providers expressly put the responsibility on the customer to detect breaches and this can be an impossible task,” said Howe.

“Some existing regulations, including the UK General Data Protection Regulation and France Data Protection Act, allow organisations to circumvent breach notification requirements if data is made inaccessible to third parties using encryption. Unfortunately, only 1.2% of cloud providers today provide the tenant-managed encryption keys required to do so,” he added.

Existing European data privacy laws also require that organisations take steps to protect personal information. For instance, the France data protection authority CNIL recommends strong passwords, secure workstations, network security and information security training.

“The challenge is that not all cloud providers offer tools to secure data natively. In fact, only 2.9% of cloud services enforce secure passwords.

"The General Data Protection Regulation does not come into effect until 2015, but there’s some serious work to do before that,” Howe concluded.  

Read more on Datacentre disaster recovery and security