New EU data protection regulation is expected to come into force this year, replacing the Data Protection Directive adopted in 1995. Aimed at strengthening consumer and business trust in Europe’s digital economy, the legislation will address some key security and privacy concerns.
The implications for businesses and Cloud providers is vast, yet research by Skyhigh Networks suggests Cloud providers are poorly prepared, with only 1 in 100 currently meeting the forthcoming regulation. So what can we expect from the new regulation and how will it affect the Cloud computing market?
The proposed regulation will apply to all European businesses and any business outside the EU holding personal data on EU citizens. Companies doing business with the EU, such as Cloud providers, will also need to comply with the regulation.
Overview of Changes
- Data Residency: Strict data residency rules will prevent companies from storing or transferring data through countries outside the EU where equally strong data protection standards are not upheld. Currently only 11 countries outside the EU satisfy these privacy requirements and the US, where two-thirds of all cloud data centres are headquartered, is not among these.
- Right to Erasure: The new legislation requires businesses to delete personal data on individual request. Ensuring all copies of this data is deleted may prove challenging as 63% of cloud providers currently maintain data indefinitely or have no provisions for data retention, and another 23% maintain the right to share data with third parties.
- Responsibility and Security Breaches: Under the proposed regulation, liability for data breaches and violations will be shared between data controllers (businesses that own the data) and data processors (such as cloud providers that store the data). This means that businesses, as well as Cloud providers, will share responsibility for data management.
Implications for Businesses
Increased businesses liability and heftier penalties of up to 5% of annual turnover or up to €100m, will cause business leaders to take note. Data governance and risk analysis will become key responsibilities which, in turn, will have time and budget implications.
Selecting the right Cloud provider will be critical and businesses will need to follow due diligence to ensure privacy and security compliance. In addition, any security breach will need to be notified to the EU regulatory authority within 24 hours. This could prove challenging as businesses are often unaware of breaches with their Cloud providers. Instead, encryption may be an attractive option, providing another layer of protection and complying with the 1998 UK Data Protection Act which allows breach notification to be bypassed if data is inaccessible to third parties.
Implications for Cloud Providers
Cloud providers are arguably most affected by the legislation, yet least prepared. Increased security requirements and administrative burdens will require disclosure of data processing and security details. Permission will also need to be sought from clients before enlisting any 3rd party services and all data will need to be returned on contract termination.
In terms of data residency, large global providers, such as Microsoft and Amazon, are already making provisions to maintain data within the EU by setting up European data centres.
The landscape for Cloud computing is changing. The European-wide regulation will drive up security levels and increase accountability. Although an exact date for the new regulation is yet to be confirmed, businesses and Cloud providers must put in place the building blocks now, to be fully prepared for when the legislation does arrive.