Two years to GDPR deadline means it’s time for data protection by design
Thu 7 Apr 2016
After months of lengthy debate and a string of approvals the EU General Data Protection Regulation (GDPR) is finally set to become law this spring. As soon as the last stage of approval has been passed, the GDPR will come into effect, giving businesses two years to take steps which allow them to achieve full compliance with the new regulation.
Two years may sound like plenty of time to implement policies which allow IT to control the hugely complex web of cloud use in the modern workplace, but CIOs know they are facing a sizeable challenge. Even with a 24-month grace period, the complexity of the GDPR makes compliance seem like a difficult hurdle to clear. According to recent research, almost 80 percent of IT professionals in medium and large organisations are not confident that they will be able to declare that the business is compliant with the regulation before the GDPR begins to be enforced in 2018.
The bad news is that cloud apps aren’t making compliance any easier. This is because they create unstructured data which is not only more difficult to manage, but it is also explicitly included within the GDPR provisions. This represents a huge potential stumbling block, not least because cloud apps are prolific: Netskope research has revealed that nearly a third of IT professionals are aware that shadow IT is endemic within their organisation, as employees sidestep IT policies to use unauthorised cloud apps at work, unknowingly placing data at risk. Despite this, only 7 percent of IT professionals have put a solution in place to resolve this issue. As a result, any business seeking GDPR compliance needs to consider enterprise cloud app use.
Without the ability to control and secure data in cloud apps, GDPR compliance is a forlorn hope
The truth is that blanket “block” policies rarely work when it comes to app use. Cloud apps enable employees to work in a highly productive manner and, as a result, such polices usually only result in frustrated users and dangerous workarounds. Organisations must find a way to allow staff to continue using their preferred cloud apps while securing all structured and unstructured data, both at-rest and in-transit. Which begs the question: how can businesses ensure GDPR compliance while allowing employees to continue using cloud apps securely?
Once the GDPR comes into effect, companies will be required to take active measures to safeguard their data. Under the new regulation, legal arrangements, including policies, protocols and contracts, will not be sufficient to ensure compliance. Instead, organisations will need to implement deliberate organisational and technical measures to ensure data protection and compliance across the business. By implementing this ‘data protection by design’, businesses will be extending beyond the security measures traditionally used to ensure data confidentiality, integrity and availability.
In short, without the ability to control and secure data in cloud apps, GDPR compliance is a forlorn hope. Finding a way to manage all business interactions with the cloud is an excellent starting point for any company attempting to regain control of its data. To achieve this, the IT department needs to discover and monitor every cloud application used by employees and be aware of which personal data employees are processing in the cloud. Is customer information present, such as names, credit card details, addresses? Or other forms of personally identifiable information (PII)?
Data needs to be secured by setting policies which prevent employees from using unmanaged cloud services to store and process PII. IT should implement sufficiently granular policies if they are to prevent unwanted behaviour while also enabling compliant use of the cloud.
Users too should be coached in best practice to ensure they adopt and use the services sanctioned by the IT department. IT departments should also use a cloud access security broker (CASB) to assess the enterprise-readiness of all cloud services and cloud apps, ensuring the organisation can guarantee that all data are protected both at rest and in-transit.
Cloud vendors and cloud-consuming organisations need to recognise that the GDPR has significant implications for how a business controls data. As cloud apps and shadow IT have become commonplace in the enterprise, personal data are now even more difficult for IT to track and control. As a result, IT security teams will need to make the most of the two-year grace period before penalties for non-compliance are put into effect.
When considering how best to achieve GDPR compliance, organisations should take it one step at a time, ensuring they begin by building a true picture of – and gaining control over – cloud app use in the workplace.