Problem solve Get help with specific problems with your technologies, process and projects.

How enterprises should handle GDPR compliance in the cloud

GDPR compliance in the cloud can be an intimidating concept for some enterprises, but it doesn't have to be. Rob Shapland explains why it's not so different from on premises.

On May 25, 2018, the new European Union General Data Protection Regulation will go into effect, meaning that any...

company controlling or processing the data of EU data subjects -- citizens and residents -- will need to comply with the regulation or potentially face significantly increased fines compared to existing data protection laws.

Many companies are unsure how to handle General Data Protection Regulation (GDPR) compliance in the cloud, and it is not yet clear whether the cloud will benefit or hinder compliance. A recent survey conducted by Gemalto S.A. revealed that the vast majority of IT professionals believe that it is more complex to manage GDPR compliance in the cloud than it is on premises.

The first step to comply with GDPR is to understand which personal data the organization controls and processes. This discovery and the data classification process are not just limited to the organization's own network; it needs to extend into the cloud. The main problem associated with GDPR compliance in the cloud is the proliferation of data across a large number of cloud services, both sanctioned and shadow.

Companies now have no more than 72 hours to notify the relevant government supervisory authority in the event of a data breach -- meaning that they must understand very quickly where the breach occurred -- which requires a complete understanding of where all personal data is being stored. The Gemalto survey results about IT professionals' beliefs about the complexity of GDPR compliance in the cloud are likely to be symptomatic of this lack of understanding of where data is stored rather than an inherent problem of cloud services not providing the tools to ensure compliance.

How to handle GDPR compliance in the cloud

One approach to ensuring GDPR compliance in the cloud is to only use providers that adhere to the required privacy and security procedures, and to stop using those that do not. Organizations should ensure that they only store the personal data that they truly require for the cloud application to perform its purpose.

It is also essential to understand whether the cloud vendor allows the customer organization to erase all its data from the application once it stops using it.

Fortunately, the major infrastructure-as-a-service providers, such as AWS and Microsoft Azure, have tools available to help with GDPR compliance. By storing data in IaaS, enterprises offload many of the requirements for GDPR to the cloud provider -- for example, encryption, monitoring and logging, and security by design are all key features of IaaS.

Moving data to a major cloud provider should make compliance a much simpler process than it would be on premises, as the underlying hardware, processes and procedures are already compliant. It is only the enterprises' handling of the data within that cloud environment that needs to be carefully managed.

Overall, GDPR compliance in the cloud or on premises should be seen as a catalyst to undertake a process that organizations should have completed already -- though most haven't. Having control over the security of personal data is key to avoiding a data breach, and without truly understanding and controlling that data, it is only a matter of time before it is intentionally or accidentally breached. Enterprises should use GDPR as a reason to examine and consolidate cloud services, and they should only use providers that can prove compliance with the regulation.

Dig Deeper on Cloud Compliance: Federal Regulations and Industry Regulations

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How is your organization preparing for cloud compliance with GDPR?

With European Union’s GDPR enforcement day inching closer and closer on May 2018, organizations really need to put their heads together and act fast on the data security. The motto of the EU regulation is clear ‘Act or face the consequence’. Any non-compliance by the organization will have to be paid in the form of a steep fine and that amount is 4% of its annual global revenues.CASB solution helps an enterprise in data protection.

It is but pertinent that all the organizations are hiring the services of cloud providers for data storage and processing since it is not economical or feasible to store and process such humongous amount of data on-premises. So both the organization and the cloud service provider either within or outside the EU who has EU citizens’ data with them fall under the purview of GDPR. In order to practice Data Loss Prevention (DLP), CASB (Cloud Access Security Broker) software hits the right target so that data can be secured and protected.