The EU’s General Data Protection Regulation (GDPR) will be enforced in a matter of months. Many see the regulation as a victory for personal data rights because it gives individuals the right to ask businesses for detailed information about how their personal data is processed.
GDPR also governs the ways in which businesses conduct their internal data operations and audits. Overall, the regulation makes organizations more accountable for their practices. For those seeking compliance, data security and visibility into employee cloud usage must be a top priority.
Using cloud applications for storing and processing data is a critical concern under GDPR. The regulation mentions a shared responsibility between organizations using cloud apps and cloud service providers (CSPs) like Salesforce and Dropbox. However, it is ultimately the enterprise that has the responsibility of protecting their customers’ data in the cloud – not the CSP. In other words, businesses are accountable for ensuring that customer data is safe and used only as authorized, even when it is stored in a third-party cloud application.
By May 2018, companies of all sizes will need to ensure the efficacy of their cloud security capabilities. To address the operational challenges associated with achieving GDPR compliance, most organizations will need to undergo numerous changes. Below are three of the top ways to ensure GDPR readiness.
1. Locate data and develop a directory
Management and IT need to collaborate to create a directory of procedures. This directory should be a summary of how customer, personal, and company data is collected and processed. Organizations that use the cloud must identify all customer data that moves to and from the cloud, and show how said data is secured. This directory must be comprehensive and include everything from identifiable website traffic data, to email and file data stored in cloud apps. This process should be led by an in-house data protection officer (DPO) as required under GDPR.
2. Find out more about CSPs’ data processes
CSPs tend to have their own sets of procedures that cloud users must consider when preparing for GDPR compliance. Organizations should compare their procedures and requirements with those of their cloud service providers to ensure that data is completely secured and consistently used only as authorized.
Once GDPR is in effect, CSPs will be able to obtain various certifications based on the levels of protection they provide. These certifications are voluntary; the regulation has no explicit standards to which CSPs must adhere. As such, cloud users must make sure that app vendors have certifications prolific enough to inspire confidence in the tools they provide. Capabilities like data leakage prevention (DLP) and encryption must work consistently. If a breach occurs because of lax CSP controls, the cloud user will ultimately be responsible.
3. Limit shadow IT’s risks
With GDPR on the horizon, companies should begin paying more attention to the circumstances surrounding data access. Visibility into employee activity – logins, downloads, file shares and more – will be crucial in maintaining GDPR compliance. Steps must be taken to prevent malicious and oblivious employees from accessing sensitive data on unsecured devices like personal mobile phones or tablets. If users circumvent security tools to download sensitive data or upload it to unsanctioned cloud apps, then organizations will be found in violation of GDPR for using and transferring data in ways that customers did not authorize.
A helpful way to begin addressing insider threats is to have management and the data protection officer develop a data security code of conduct for employees. In conjunction with this, organizations must deploy technical precautions such as DLP-based control of uploads to unsanctioned cloud apps. Additionally, firms should review privileges to uncover who has access to sensitive data and limit it accordingly.
Becoming GDPR compliant is a major business challenge that will require firms to implement new security measures and operational processes. With its numerous requirements, terms and penalties, the regulation ultimately seeks to make companies more accountable for data privacy and protection. As such, GDPR is a step in the right direction for the future of data security.
This article is published as part of the IDG Contributor Network. Want to Join?