buchachon - Fotolia

Cloud apps failing EU GDPR privacy regulation compliance so far

Cloud apps and cloud customers face challenges in complying with the EU GDPR as the new data protection regulation is set to take effect in less than two years.

As firms begin the scramble to comply with (or ignore) the update to the EU's new data protection regulation, set...

to take effect in less than two years, privacy issues in the cloud will pose serious challenges. According to a report on readiness in the cloud, as many as 75% of all cloud apps used in enterprises is out of compliance with the new rules.

The EU's General Data Protection Regulation (GDPR) will require all companies, no matter where they are located, to protect the privacy of any data they collect, store or process that relates to a resident of the EU -- and the global nature of the cloud means that under the new rules, many companies may be exposed to potential compliance challenges without even realizing it, if they are using the cloud to store or process the personal data of EU residents.

"The shift to the cloud presents an increasing complexity and volume of security challenges for enterprises, including regulations like the EU GDPR," said Sanjay Beri, CEO and founder of Netskope, based in Los Altos, Calif. "With the deadline for compliance looming, complete visibility into and real-time control over app usage and activity in a centralized, consistent way that works across all apps is paramount for organizations to understand how they use and protect their customers' personal data."

Controllers need to know what apps are in use, period. That's the very, very first step.
Jamie Barnettchief marketing officer, Netskope

"This is the first time that data processors [cloud providers] actually have a direct compliance risk and obligation under the regulation," Deema Freij, global data privacy officer for enterprise software maker Intralinks Inc., based in New York, told SearchSecurity. Previously, privacy compliance in the EU was the burden strictly of the "data controller": the organization that collects and uses the data subject to the GDPR. "Now, it's actually both data processors and data controllers. They would be liable and they have their own obligations under the GDPR."

"Data processors" are the firms that provide data processing services to data controllers, and most cloud apps fall into this category.

The bad news on cloud apps

For its June 2016 Netskope Cloud Report, the cloud access security broker tracked more than 22,000 apps used in enterprises, and rated only 24.6% of them as having a "high" readiness rating for compliance with the EU GDPR.

Netskope ranked apps for GDPR readiness based on eight key areas, including geographic requirements, Data retention, data privacy, terms of data ownership, data protection, proper auditing, certifications and the presence of a valid data processing agreement. According to the report, cloud apps failed in different ways to comply, including 62.3% of cloud apps that failed to specify in their terms of service that, under GDPR, their customers own their own data; and 46.4% of cloud apps retained data for longer than the one week after termination of service allowed under the GDPR.

The scope of the problem for the typical enterprise is huge, according to Jamie Barnett, chief marketing officer at Netskope, and even beyond the expectations of the IT and security professionals in those enterprises.

"For context, we find more than 900 cloud apps, on average, in each enterprise," Barnett said, adding that IT and security executives "believe that they may have maybe a few dozen cloud apps in usage in their environment, and what we really find is that there are ones they are very aware of, but there's a huge other usage" of cloud apps run under the enterprise radar.

The apps discovered in enterprises included the well-known ones like Dropbox, Barnett said, but Netskope also found "many apps that IT may not even be aware about, but that are being used for legitimate business purposes. What we find is that many of those apps are not enterprise-ready and certainly, as we move toward the GDPR compliance date, it becomes more important that they don't have those key areas of functionality."

"We're looking at applications that are used in enterprises," Barnett said. "And they can be as basic and common as Box, Dropbox and OneDrive or as obscure as a vertical application for a healthcare company or a financial company. They don't include custom applications, they are off-the-shelf, third-party apps, [software as a service] cloud services. We're looking at both very common ones and very long-tail ones where we may only see a handful of users or a handful of customers using them."

Barnett said that "even if you have an app like a Box or a like a Dropbox that you know is going to meet your standards for enterprise readiness and for GDPR readiness, that doesn't guarantee that you're going to be GDPR compliant. There's that 'shared responsibility' model: the cloud app vendor needs to make sure that they have all the capabilities that are required, but the enterprise also has a responsibility for insuring proper protections and proper usage within those apps. Because those apps make it so easy to sync and share data, they need to make sure that those apps are governing usage appropriately so they're complying with GDPR as well."

Strategies for coping with GDPR in the cloud

Stephen Cobb, senior security researcher at ESET, said the EU GDPR will affect both cloud services and the people who use those services. Service users "are likely to seek assurances from providers that they are taking care of GDPR compliance," though it is unclear how providers will respond to those requests. "If there is one thing that does seem clear it is this: Every organization should be keeping a frequently updated and well-documented data security risk assessment within easy reach. You should be doing that regardless of GDPR, but GDPR is one more reason you should be doing it."

Barnett suggested that "the first thing to do is look a little bit beyond just the top-used apps because you'll find that many of those apps, even in the middle or even at the lower end of the usage tail, can have important data, so it's important to know all those apps and be able to triage them."

"Controllers need to know what apps are in use, period. That's the very, very first step. Secondly, they need to know where the personal data resides in their environment," which, Barnett said, can be done by scanning for sensitive data in, or en route to, the apps being used. She also suggested determining what data is being stored, and where; verifying that cloud apps use adequate security measures to protect personal data from loss, alteration or unauthorized processing -- and not using customer data for marketing purposes.

Enterprises "need to understand the privacy and security standard of the processor [cloud provider] and make sure that those standards adhere to the GDPR," Barnett said. "For example, does the processor insure that their data aren't being shared with third parties? Do they insure that, for example, users can download and insure that their data are erased when they choose to leave the service, if they choose to leave the service?"

Freij noted that, from a contractual perspective, "you, as a data controller, will want to put in contractual obligations and liabilities on your data processor. So, it's both ways: There's the contractual obligation between the two parties, but then there's also, obviously, the direct compliance risk and obligation for data processors, which is a new thing. And in fact, what we're going to start seeing is a lot more data processors -- i.e., cloud vendors -- becoming very, very aggressive in the contractual negotiations and actually trying to allocate the risk, contractually."

"In addition to making sure you have that frequently updated and well-documented data security risk assessment handy, the immediate priority is getting to know GDPR and assessing its potential impact for your firm," Cobb said. "This should be a Q3 priority for every company, so that before Q4 arrives, the C-suite will be fully informed on the implications. The chief privacy officer should take the lead on this, but if no such role currently exists, and the firm does handle [personally identifiable information] that may be European or stored in Europe, now would be a good time to create and staff that role. At minimum you need to makes sure the firm's legal counsel is GDPR-aware."

Next Steps

Find out why EU GDPR will still apply to post-Brexit UK.

Read about why EU GDPR may require hiring of 28,000 new data privacy officers.

Learn more about key facts that businesses should know about EU GDPR.

Dig Deeper on Cloud Compliance: Federal Regulations and Industry Regulations