The General Data Protection Regulation (GDPR) is one of the most sweeping corporate regulations coming down the pipeline. The measure was adopted by the European Commission and is set to go into effect May 25, 2018, and its purpose is to standardize rules for data collection, storage, and use, and then apply those rules across the European Union.
Abiding by the size and scope of GDPR rules is proving to be a challenge, particularly on such a short timeline. Companies of all sizes and across industries are scrambling to catch up, and much of their focus in on securing the cloud technologies that now house the lion’s share of data.
A study of preparedness highlights just how many companies are lagging behind. Only 1 percent of cloud providers managed data in a way that complies with stricter GDPR standards. The most common deficiencies had to do encryption keys and secure password enforcement. Slightly better are the 7.2 percent of cloud providers with adequate SAML integration support, but this does not change the fact that the vast majority of companies cannot comply with the GDPR.
Complicating all of this is Britain’s impending exit from the EU. Negotiations between both parties have been less than productive, and the exact nature of Brexit and its impact on the regulatory environment remain shrouded in mystery. What is clear, however, is that British companies will still have to comply with the GDPR in order to serve European consumers. So will any other international company doing business in Europe, which is why the GDPR must be on your radar.
How Everyone Plays a Role in GDPR Compliance
The central feature of the GDPR is that it expands the understanding of who is responsible for data. Previously, the controller of the data had responsibility. In most cases, this meant companies had sole responsibility for the security of customer and employee data.
Once the GDPR goes into effect, the burden of responsibility will apply to processors of data as well. Cloud service providers are the most ubiquitous processors, and they must now implement new procedures and practices to meet stronger standards for data security.
Any cloud provider currently abiding by international standards like ISO 27001 or SOC2 is close to complying with the GDPR. The challenge is that all of their subcontractors must follow the same standards. It’s a classic example of a chain only being as strong as its weakest link.
After the GDPR is enacted, controllers and processors must know exactly where all data is being stored and processed. If that data exists on international servers that do not meet GDPR standards, the controller accepts all the penalties and blame for breach of compliance. Handling the transfer of data is about to become a much more sensitive process and expose many companies to added risk.
The Keys to Achieving GDPR Compliance
With only months to go before the GDPR becomes law, companies need to get serious about reviewing and revising their data management practices. As organizations prepare for the new regulations, there are a few things to keep in mind:
1. Know Your Responsibility
As controller, companies have total responsibility for regulated data. They may rely on cloud providers that have contractually mandated penalties if a data breach occurs, but the controller will pay all sanctions and receive public blame for the breach. The GDPR even explicitly states that companies are directly responsible for “appropriate technical and organization protection measures.” This duty can no longer be shifted onto a third party.
2. Think Like a Hacker
In order to implement mandated levels of protection, companies must understand exactly how sensitive different types of data are and exactly how that data is captured, processed, stored, and secured. Knowing what data is most likely to be attacked and what vulnerabilities hackers are likely to exploit, makes it possible to establish systematic protections and threat mitigation strategies.
3. Adopt Pseudonymization
This combination of “pseudonym” and “anonymization” refers to a process of depersonalizing sensitive data. If data cannot be linked back to any specific individual, it is not subject to GDPR rules. It’s relatively easy to make data adequately anonymous using encryption and tokenization — however, the controller must keep the encryption key separated so that if data is ever compromised, it can’t also be unencrypted.
4. Implement Best Practices
The GDPR mandates that controllers follow evolving standards for protection, and it identifies encryption as a central tenant. Regulators believe encryption should become the default standard and enacted ASAP. This process must be carried out locally in order to abide by the GDPR, though, because if the controller does not hold the encryption key, then storage privacy is rendered irrelevant. Bulk cloud storage is still a viable option as long as the controller is the ultimate data owner.
5. Manage the Scope of Audits
Demonstrating GDPR compliance requires a sweeping auditing process. Controllers are required to evaluate how the processor is handling data and what protections are being put in place before submitting a comprehensive audit. It will become essential for companies to limit the amount of time, resources, and uncertainty these audits involve if GDPR compliance is going to avoid becoming a burden.
The next step is to begin reviewing your relationships with cloud providers within the context of the GDPR. If those providers are not compliant, you are not compliant either. Getting up to speed may be a lot of work in a short amount of time, but ultimately the measures the GDPR mandates insulate companies from the catastrophic consequences of a cyberattack. By protecting consumers, the GDPR protects companies, too.
