It’s now just a couple of months until the European Union (EU) brings its General Data Protection Regulation (GDPR) into effect. As of May 25, 2018, this body of rules will bring the most wide-ranging and stringent set of internet privacy laws ever formulated into the forefront of global business.
Designed to safeguard the personal information of internet users resident or native to the EU, the GDPR sets out a comprehensive regime of compliance rules, guidelines, and penalties regarding how data from consumers, subscribers, and visitors to websites or online resources should be gathered, stored, handled, and shared.
Because it concerns digital information and the internet at large, the terms of the General Data Protection Regulation apply not only to websites and businesses operating within Europe, but to any organization having dealings with data from EU citizens or residents. This includes cloud-based resources and third-party service providers – so if you’re dealing with any of these, this article should be a wake-up call for your business.
GDPR In A Nutshell
The General Data Protection Regulation (GDPR) introduces a framework of rules, standards, and recommended practices aimed at protecting the privacy and improving the level of safeguards concerning the personal and online information of European Union (EU) citizens and residents.
GDPR seeks to empower individual EU citizens and residents by increasing their rights to demand fuller disclosure on what personal information is collected from them, where it’s kept, how it’s used, and who has access to it. “Personal information” in the GDPR context goes beyond the data entered into website subscription forms or text fields to include identifiers such as SIM card IDs, website cookies, and IP addresses.
Rights enshrined within the framework include the right of access to consumer information held by the organizations they do business with, the right to have this information rectified if it’s incorrect, and the right to have it deleted on request (the “right to be forgotten”).
GDPR lays out strict rules on all procedures relating to EU personal data, with the threat of substantial penalties if these conditions fail to be met. These range from regularly publicized audits (equivalent to “naming and shaming”) and bans from trading within the EU, to fines of up to €20 million ($24.6 million) or 4% of a company’s annual global turnover – whichever is the greater.
It builds on existing EU legislation, and sets out new parameters for information collection, storage, sharing, and handling by what it terms “data controllers” (including the new breed of Data Protection Officers which organizations are required to appoint) and “data processors” – among whom are cloud services and IT hosting providers.
Concerning The Cloud
A 2017 Netskope Cloud Report suggests that the average European enterprise uses something like 608 distinct cloud applications. Figures for American and global businesses are on a level with this. But with commercial organizations relying on resources and cloud platforms like Salesforce, SuccessFactors, Dropbox, Expensify, Workday, and numerous others, these same organizations also don’t know 90% of the apps people within their ranks are actually using.
According to a recent survey by Commvault, only 12% of 177 global IT organizations polled understood how GDPR would affect their cloud services. This level of ignorance is just the first hurdle which needs to be overcome in a GDPR compliance regime that requires every cloud-based asset associated with an organization to be fully compliant, in itself.
The following recommendations set out a strategy for ensuring that your cloud storage, apps, and service providers will rhyme with or add to your GDPR compliance level, rather than taking away from it.
Know Where Your Data Is Being Kept
Having identified all the cloud services being employed by members of your organization (both your IT-approved ones, and those that aren’t), you’ll need to delve further, to unearth the data-handling practices of each one.
For starters, compliance with GDPR will be required from any cloud-based app or service provider which is Europe-based, or hosted from physical infrastructure in an EU nation. This applies to both the static storage and processing of data pertaining to EU citizens and residents.
In making this determination, you should bear in mind that cloud services may move your organization’s information around between their various data centers – and if storage or processing occurs within EU borders, GDPR requirements will come into play.
Get The Paperwork In Order
At the contract level, you should carefully review all agreements with cloud storage platforms, application hosts, and other service providers. If any of the services are not currently in compliance with GDPR, draft a fresh agreement and update their terms of service (assuming that they’re willing) to bring the conditions into line.
Be prepared to terminate your contracts with any cloud providers that refuse to renegotiate terms. It may be possible to bring one or more existing contracts under the same (GDPR-compliant) umbrella, with a new provider.
Fine-Tune Your Data Collection
The General Data Protection Regulation is very strict about ensuring that the previously intrusive data-collection methods used by websites, online services, mobile apps and the like are curtailed and brought under a new regime of discipline, where EU consumers no longer have to worry about large corporations or unknown third parties being privy to their most personal details.
In line with this, you’ll need to make sure that the information being gathered or processed on your behalf by cloud services is limited to what’s strictly necessary. For example, if you only need to know a website visitor’s IP address, then that’s the only information you should require them to provide.
Get Specific With How Data Is Used
Following on from the previous point, in drafting the consent forms which request permissions for various data points to be gathered and used – and in designing analytical or other processes working with these data points – compliance with GDPR will be that much easier if you impose a strict discipline of your own.
With cloud applications and services, this means ensuring that data on individuals is collected and used for a specific purpose – and only for that reason. No follow-up emails pulling in third-party advertisers. No selling on to marketing networks, storing for “research purposes”, or other conditions that may allow information to fall into the wrong hands – and outside your compliance remit.
Keep Only What’s Necessary
With GDPR effectively guaranteeing European users access, erasure, or even editing rights to the information you gather from them – and setting specific conditions and time limits for disclosure and deletion – it’s in your best interests to ensure that any personal data that your organization has in storage at a given time is both limited in scope, and able to be disposed of at a moment’s notice.
This can be facilitated by negotiating agreements with your cloud providers allowing for the immediate disposal of information that the provider holds, once your contract expires. Making sure that data held in storage is kept to a minimum also reduces the risk of exposure due to security breaches or hacking events.