With only a few months until the General Data Protection Regulation (GDPR) comes into full force, there’s an air of unnerving panic sweeping across organisations in the EU to ensure compliance. And this panic isn’t without reason. Companies found to breach the data of EU individuals will suffer severe financial penalties for serious incidents, with fines of up to four percent of a company’s annual revenue.
As a result, ensuring total compliance with the legislation is a must, but with 88 pages of legislation, it’s a daunting endeavour for any organisation to get up to speed with GDPR. However, what is often overlooked is the fact that most organisations are actually in a good position to navigate through this tricky new legislation. GDPR, in fact, adopts almost 80 percent of the existing Data Protection Directive that has been a mainstay for organisations for some years.
The other 20 percent will arise from the GDPR, which represents the large hurdle for organisations in accommodating to this new landscape. But for some, adjusting and complying with the GDPR may be quicker than anticipated with the growing adoption of cloud throughout the enterprise.
Capitalising on the Cloud
Research from Cloud Industry Forum identifies that overall cloud adoption rate in the UK stands at 88 percent, with 67 percent of users expecting to increase their adoption of cloud services over the course of the coming year.
At Google’s Cloud Next event held earlier this year, Google executives advocated that cloud can help boost GDPR compliance, as moving data to the cloud can alleviate the pain of upgrading security practices and data protection standards in line with the new regulations. In the same vein, large technology vendors including AWS and Microsoft Azure have both committed to ensuring GDPR compliance to support their customers operating in the EU. Cloud can facilitate the move towards compliance, but how can this be achieved?
Centralising and monitoring data
One of the biggest implications of GDPR is the requirement for accurate storage, visibility, and monitoring of EU data – in an attempt to bring more accountability of consumer data. Organisations who have traditionally relied on legacy on-premise IT infrastructure will quickly find that they are unable to offer the strict monitoring nor the stringent security assurances required with GDPR.
However, by storing data in more sophisticated cloud environments, organisations are now able to centralise data from all assets in one location, rather than having several data access points. Not only is this important for improving visibility and accessibility of data, but effective storage in the cloud can offer operational benefits including the prevention of data leakage and reducing the possibility of data duplication.
Additionally, GDPR will provide more user control through the ‘right to erasure’, also known as the ‘right to be forgotten’, meaning users can request their data to be removed from company databases or even amended if incorrect. This has the potential to see organisations being inundated with more requests from consumers to access their data. But by using cloud technologies, organisations can effectively remove the typical administrative headache for staff in organising and maintaining this data, having instant access to data where required. Having said that though, cloud isn’t the be all and end all when it comes to GDPP compliance.
Cloud needs to be met an organisational culture shift
While there are undoubted benefits of cloud, organisations cannot solely rely on the cloud to facilitate their move towards GDPR compliance. Instead, a wider appreciation is required from both organisations and cloud service providers (CSPs) in their role towards this goal. Only through collaborative partnerships and a deeper understanding of each party’s involvement with GDPR can real progress be made.
Any organisation storing data in an IT environment needs to ensure best practice is being followed, such as patching, monitoring and access controls, with the appropriate 24/7 support and governance wrapped around them to ensure protection is sufficient for the value of data being stored. If these environments are in the cloud, then additional activities such as supplier management need to be implemented to maintain the required level of assurance for the organisation, i.e. checking the supplier is implementing the controls at all times.
[easy-tweet tweet=”GDPR is a game-changing legislation that will affect organisations of all sizes. ” hashtags=”GDPR, Security”]
Additionally, the mindset surrounding GDPR also requires change. GDPR is not only a business matter managed by IT departments of organisations but a dedicated involvement from all parties in upholding the values of GDPR. Internally, everyone from junior members of staff to the board must understand the role of GDPR, while externally, business partners and technology suppliers will also be held accountable for ensuring services and security of the highest standards. Putting this in context of GDPR, in the event of a potential data breach, organisations are now required to declare the incident within 72 hours to the relevant supervisory authority, or else face significant financial penalties. Having robust initiatives and a thorough understanding of how to detect and report threats throughout the entire business ecosystem will be critical in staying on top of the game.
GDPR is a game-changing legislation that will affect organisations of all sizes. Organisations can find some solace in the fact that much of the foundation of GDPR is rooted in the Data Protection Directive, but this shouldn’t be mistaken as complacency for GDPR compliance. With more organisations capitalising on the cloud, it only makes sense that cloud can help move towards 100 percent compliance. But this must be matched with a shift in culture and understanding, or else organisations will be left ill-equipped ahead of the May deadline.