On May 25, 2018, the new European Union General Data Protection Regulation will go into effect, meaning that any...
company controlling or processing the data of EU data subjects -- citizens and residents -- will need to comply with the regulation or potentially face significantly increased fines compared to existing data protection laws.
Many companies are unsure how to handle General Data Protection Regulation (GDPR) compliance in the cloud, and it is not yet clear whether the cloud will benefit or hinder compliance. A recent survey conducted by Gemalto S.A. revealed that the vast majority of IT professionals believe that it is more complex to manage GDPR compliance in the cloud than it is on premises.
The first step to comply with GDPR is to understand which personal data the organization controls and processes. This discovery and the data classification process are not just limited to the organization's own network; it needs to extend into the cloud. The main problem associated with GDPR compliance in the cloud is the proliferation of data across a large number of cloud services, both sanctioned and shadow.
Companies now have no more than 72 hours to notify the relevant government supervisory authority in the event of a data breach -- meaning that they must understand very quickly where the breach occurred -- which requires a complete understanding of where all personal data is being stored. The Gemalto survey results about IT professionals' beliefs about the complexity of GDPR compliance in the cloud are likely to be symptomatic of this lack of understanding of where data is stored rather than an inherent problem of cloud services not providing the tools to ensure compliance.
How to handle GDPR compliance in the cloud
One approach to ensuring GDPR compliance in the cloud is to only use providers that adhere to the required privacy and security procedures, and to stop using those that do not. Organizations should ensure that they only store the personal data that they truly require for the cloud application to perform its purpose.
It is also essential to understand whether the cloud vendor allows the customer organization to erase all its data from the application once it stops using it.
Fortunately, the major infrastructure-as-a-service providers, such as AWS and Microsoft Azure, have tools available to help with GDPR compliance. By storing data in IaaS, enterprises offload many of the requirements for GDPR to the cloud provider -- for example, encryption, monitoring and logging, and security by design are all key features of IaaS.
Moving data to a major cloud provider should make compliance a much simpler process than it would be on premises, as the underlying hardware, processes and procedures are already compliant. It is only the enterprises' handling of the data within that cloud environment that needs to be carefully managed.
Overall, GDPR compliance in the cloud or on premises should be seen as a catalyst to undertake a process that organizations should have completed already -- though most haven't. Having control over the security of personal data is key to avoiding a data breach, and without truly understanding and controlling that data, it is only a matter of time before it is intentionally or accidentally breached. Enterprises should use GDPR as a reason to examine and consolidate cloud services, and they should only use providers that can prove compliance with the regulation.