Following a period of lengthy debate, fine tuning and approvals from various political entities, the EU General Data Protection Regulation (GDPR) will soon come into effect. With just one final stage of approval yet to come, the GDPR is set to finally become law this spring, leaving organisations with two years to achieve full compliance with the regulation.
Whilst two years may seem like a sufficient amount of time, the fact is that IT teams are faced with the challenge of controlling a hugely complex web of cloud use in the workplace. As a result, GDPR compliance will be tricky: recent research conducted by Netskope and YouGov revealed that almost 80 per cent of IT professionals in medium and large organisations do not feel confident that they will be able to ensure compliance with the regulation before the expected deadline of spring 2018 falls.
almost 80 per cent of IT professionals in medium and large organisations do not feel confident that they will be able to ensure GDPR compliance before the expected deadline of spring 2018
Organisations striving for GDPR compliance must consider enterprise cloud app use. It is a difficult hurdle to clear: cloud apps create unstructured data which is not only more difficult to manage but also explicitly included within the regulation. The research found that while nearly a third of IT professionals admit to knowing full well that shadow IT is rife in the organisation – meaning that employees are using unauthorised cloud apps at work, placing data at risk – only seven per cent have implemented a solution to deal with this problem.
Blanket block policies when it comes to apps are not an option because cloud app use leads to such huge productivity gains. Businesses have to find a balance, enabling continued use of cloud apps while ensuring that structured and unstructured data, both at-rest and in-transit, are protected. But how can organisations securely allow employees to use cloud apps while ensuring GDPR compliance?
Under the GDPR, companies are required to take active measures to protect their data. Legal arrangements such as policies, protocols and contracts are not sufficient to guarantee GDPR compliance. Instead, organisations must ensure data protection and compliance in all areas by implementing deliberate organisational and technical measures. Known as ‘data protection by design’, these actions extend beyond the traditional security measures aimed at ensuring data confidentiality, integrity and availability.
Both cloud vendors and cloud-consuming organisations must recognise that the GDPR will have wide-ranging and significant ramifications
GDPR compliance will not be possible if organisations do not control and secure data in cloud apps. Closely managing a business’ interactions with the cloud is a good starting point. In order to achieve this, IT needs to:
Discover and monitor every cloud application in use by employees.
Know which personal data sets are being processed by employees in the cloud – for instance, customer information such as name, credit card details, address, or other forms of personally identifiable information (PII).
Secure data by implementing policies to ensure that employees are not using unmanaged cloud services to store and process PII. Policies should be sufficiently granular in order to prevent unwanted behaviour while simultaneously ensuring compliant use of the cloud can continue.
Coach users in best practice so they adopt the services sanctioned by IT.
Use a cloud access security broker to evaluate the enterprise-readiness of all cloud apps and cloud services so the business can guarantee that all data is protected both at rest and in transit.
The explosion of cloud apps and shadow IT in the workplace means that personal data has become even more difficult to track and control. Both cloud vendors and cloud-consuming organisations must recognise that the GDPR will have wide-ranging and significant ramifications in terms of data control and protection. IT security teams will need to take full advantage of the two-year grace period before penalties for non-compliance come into effect. Examining cloud app use in the organisation is the best place to begin your journey towards GDPR compliance.