Are Cloud Services GDPR-Ready?
Per EU law, the General Data Protection Regulation is set to come into force in May of next year. This means that companies will have to be compliant with the EU’s goal to strengthen and unify data protection for consumers across a range of industries.
On the whole, the GDPR is a very good thing for those who are concerned about being in control of their data online, and provides clarity for business and organisations in the form of a clear legal structure. While this standardisation across the EU is a positive step, it no doubt requires a lot of action on behalf of companies who deal with customer or user data. Specifically, it comes with “significant changes compared to the Data Protection Directive 95/46/EC involving operational changes in organisations.” The cost of not updating one’s systems to be in compliance of these changes includes fines of up to $20 million Euros from EU officials and, of course, a higher risk of a data hack.
As the 2018 deadline looms, however, recent reports have found that “almost three-quarters of cloud services still lack key capabilities needed to ensure compliance with the GDPR regulations.” The study found that only 24.6 percent of the cloud-based services deployed by enterprises were given a GDPR readiness rating of “high”. This score is based on factors including the location of data storage, encryption, and agreements about data processing.
Sanjay Beri, CEO and founder of Netskope, which carried out the study, was quoted as saying: “Cloud adoption is an inevitability and has enormous business value for enterprises across all geographies and verticals. It also introduces a new set of complex security challenges in the enterprise, with regulations like the GDPR one of the more complex challenges. On the eve of the compliance deadline, complete visibility into and real-time control over cloud usage and activity in a centralized, consistent way that works across all cloud services is paramount for organizations to understand how they use and protect their customers’ personal data and, consequently, comply with the GDPR.”
So, what are the key points that a company who needs to be GDPR compliant must prepare for?
The following defines where you should begin directing your efforts immediately:
Do you even have to comply? While the GDPR is an EU directive, its jurisdiction can still apply to companies that aren’t headquartered in the EU. The key issue is where their customers are. It’s crucial to know that if you collect and/or process the data of EU citizens, you must be compliant no matter where you are.
Consent and explanation? A key component of the GDPR is obtaining customer consent to store data, which requires an explanation of how it will be used. This may sound simple, but can require quite a bit of work. Are you able to explain in clear language to your customer why and how you use their data? And do you have a mechanism to obtain their consent? If not, you should begin creating this.
Get ready for requests: Under the GDPR, customers have a right to request the data you hold, where it is stored, and to know why you are using it. You need to be able to provide electronic copies of this data when asked. That is a huge undertaking for many companies, and one that can’t be done overnight.
Get rid of “opt-in” privacy: If you have an app or service that only offers enhanced privacy once the user has requested or opted into it, you’re going to have to change your structure. The GDPR states that privacy must be embedded into apps and services, not included as an afterthought or extra.