The Cloud vs GDPR: a Compliance Nightmare?
The rationale behind the regulation The General Data Protection Regulation (GDPR), referred to by some as ‘the’ biggest change to European privacy laws in the last two decades, is causing commotion across the globe as businesses rush to become compliant by May 2018 or risk facing heavy sanctions. Finalised in April 2016 the new regulation, […]
The rationale behind the regulation
The General Data Protection Regulation (GDPR), referred to by some as ‘the’ biggest change to European privacy laws in the last two decades, is causing commotion across the globe as businesses rush to become compliant by May 2018 or risk facing heavy sanctions.
Finalised in April 2016 the new regulation, which will replace the Data Protection Directive 95/46/EC, has the goal to better protect an individual’s personal data. For clarification purposes that could be any form of information leading to a person’s identification including but not limited to their name, email address, ID number, location data, income and bank details, health information and IP address.
So why a greater focus on the data subject?
Not so dissimilar to the rules of the road, a poignant comparison made by David Lewis, GRC Manager at cyber security specialists Imperva, a person visiting a website should be protected. When browsing online it is expected that our personal information is secure and makes it to its end destination safely too.
Unfortunately, as recounted in the press all too often of late, the risk of a visitor’s data being breached has increased exponentially.
In November of this year, details surrounding a breach suffered by Uber in 2016 surfaced. According to the company, 57 million people have been affected as a result of the cyber-attack. A month prior, detailed card payment information of approximately 60 000 Pizza Hut customers among other user data was thought to have been exposed to hackers. A month prior Deloitte was involved in a cyber-attack for which the real fall out has yet to be defined but is said to have compromised Deloitte’s global email server. In July 2017, it became clear that Bupa’s data breach had impacted half a million customers. In 2016, Android malware compromised over a million Google accounts. In 2013, Yahoo also disclosed a breach affecting up to 3 billion of its email users.
In response to the drop in user trust and confidence which inevitably negatively impacts businesses and the economy, governments are increasing regulatory safeguards. Unlike the Directive, the GDPR will provide a single set of rules for all companies handling, storing, sharing and processing EU related personal data. Organisations will have to implement new measures to meet the requirements of the regulation and be extremely careful how they acquire, collect, use and store the data of their clients, customers and employees.
The implementation of a single regulation is thought to facilitate business processes in the long run and incentivise organisations to consolidate and streamline data in one place from the offset, where it can quickly be anonymised. The significant reduction in organisational costs, the potential for innovation and the building of greater rapport with customers as well as the decrease in brand and reputational damage associated with avoidable breaches are also argued to be among the benefits of the new regulation.
Cloud services and the GDPR
The rules of the GDPR apply irrespective of whether data is stored in the cloud or on paper. The former in particular presents several challenges with regards to compliance.
On the one hand, according to Elastica’s Shadow Data Threat Report, as little as one percent of cloud providers’ internal processes are compliant with the new legislation. Less than three percent enforce secure password policies to meet the requirements of the GDPR. This has in part got to do with the Directive’s emphasis on the controller rather than the processor, leaving many a provider unaccountable for the role they play in data privacy and security. Aside from the scenario where direct contractual obligations are enforced on behalf of the controller, processors are not held liable for loss or exposure of information. Where regulation isn’t an issue cloud service providers can limit their focus to ease of use and navigation of their platforms and services.
On the other hand and according to the most recent Netskope Cloud Report, EU firms are unaware of how many cloud applications their organisations are actually using, which on average is believed to be over 600 software programs.
Under the new regulation, the rules will be far more stringent, the threat of fines as high as 20 million EUR or four percent of a companies’ annual revenue (whichever is highest) real, and the sharing of liability binding between both processor and controller. Cloud providers as well as users must enforce a series of technical and organisational procedures to guarantee the level of security required. According to Dr. Rois Ni Thuama, Head of Cyber Governance at OnDMARC the fines are not necessarily the biggest threat to a business’s bank account. The data subject’s right to sue following a breach, whatever the implications, is far more concerning.
“What we are seeing now is a clear division between a growing number of companies that say ‘wait, this GDPR thing is real’, and those who still don’t understand you cannot simply move data around the cloud without addressing data privacy. Privacy regulation is becoming mainstream in IT, in the same way that drug licensing became so for the pharmaceutical industry. It’s either make it clear that you comply, or forget about selling to serious customers,” says Bostjan Makarovic Founder of Aphaia, a GDPR-focused consultancy.
The attitudes of controllers and processors will need to change drastically especially when it comes to negotiating agreements. Strict provisions on the scope of duties of the controller and processor will need to be defined and implemented. Annabel Jones, UK Director at ADP commented: “contractual due diligence will be even more important as businesses seek to partner up with companies that can show data is processed lawfully”. An increase in third party due diligence and a greater focus on insurance policies will most likely also be discernable.
Steps to compliance
When selecting a provider, cloud using organisations need to ensure they choose vendors that are, in the first instance, able to tell their clients where the data they process and store is located. According to the GDRP data transfer to a third party outside the EU that does not have adequate data protection standards is only allowed under certain circumstances. Currently only 11 countries meet such standards.
It is equally important that companies are made aware of any third parties involved in the processing of the data. According to Trustwave’s Global Security Report, approximately 63% of data breaches involve third parties who are often considered a company’s biggest area of risk exposure. As a result they will be the first to be investigated by regulators. If the latter are involved at some stage of the process, measures need to be taken to ensure that they too are compliant.
Security should be a top priority for providers who ought to be able to explain the various measures adopted to protect data from modification, unsanctioned processing or loss. All data centers must be compliant with the latest ISO certifications, the storage and transmission of documents should be carried out exclusively via SSL connection with AES 256-bit encryption. Regular penetration tests should be carried out to assess data security. Two-factor authentication, data deletion, trash retrieval and access controls are just some of the ways data owners can have autonomy on how and whether their data is kept.
Drooms, Europe’s leading virtual data room provider, works with 25,000 companies around the world including leading consultancy firms, law firms, global real estate companies and corporations such as Morgan Stanley, JLL, JP Morgan, CBRE, and UBS. Over 10,000 complex transactions amounting to a total of over EUR 300 billion have been handled by the software specialist.