General Data Protection Regulation (GDPR) is an effort to control personal data that is housed and accessed by third parties, including cloud service providers (CSP). The provisions of GDPR are stringent and violation penalties are hefty. Even a slight deviation from the regulation can cost your company dearly.
(Image Source: Unsplash)
Companies that rely on CSPs to run and manage applications will have to be extra-cautious if they want to avoid paying heavy fines and losing customer faith. Even if you are toeing the line set out by GDPR, your CSP might not be doing the same. In that case, you are culpable for a crime you didn’t exactly commit. You will have to pay a huge fine and lose face and goodwill in the marketplace. Both scenarios spell disaster for any business.
If you hear warning bells, let us reassure you that there are many viable ways of making your cloud-run applications GDPR-compliant. But before we delve into the matter, let us know what GDPR is and why you need to follow it.
GDPR- Basic Facts
What is GDPR?
GDPR is a set of rules that dictates companies to protect the personal data of consumers that they collect. It seeks to empower consumers to keep their data confidential and safeguard it against leakage or compromise. The policy is set to replace the data protection laws of 1995 which have become outdated in the current scenario.
Who needs to follow GDPR?
While GDPR governs companies in the European Union (EU), its rules also apply to export of personal data to companies outside the EU. In this way, GDPR covers a large proportion of companies worldwide in its ambit.
GDPR covers companies with:
- Offices in the EU
- Non-EU companies that are dealing with data exported from EU
- 250+ employees
- Less than 250 workers but whose activities impact a large number of people. By recent stats, nearly 92% of US companies are keeping GDPR compliance as their top security concern.
Types of personal data covered by GDPR
Personal identifiable information (PII) as defined by GDPR includes:
- Identity information including name, personal address, and IDs
- Web data like IP address and location
- Health data and sexual orientation
- Biometric information
- Ethnic background and political affiliations
How much is the GDPR non-compliance fine?
There are two tiers of administrative penalties that can be levied if your company isn’t GDPR-ready. These fines are imposed on a case-to-case basis, and not a blanket rule for all operations.
- Tier 1- Fine of €10 million or 2% of annual global turnover, whichever is higher
- Tier 2- Fine of €20 million or 4% of annual global turnover, whichever is higher
Are your Cloud Applications GDPR-Ready?
If you have a lot of cloud deployments hosted by third parties, you will have to ensure that they are as GDPR-compliant as you are. Such companies need more than technology to remain ahead of the curve. Their internal cloud teams will need to be trained so that they can create secure and compliant applications.
Here is a four-pronged approach you can apply:
- Make your cloud partners compliant
The cloud ecosystem consists of the vendor and the customer, both of whom should be GDPR compliant. The cloud provider (vendor) needs to secure their physical infrastructure as well as resources meant for storage, computing, and database services.
If you’re importing personal data that is subsequently captured by your cloud vendor, ensure that you have firewalls in place, at instance and application levels. You will have to monitor access controls, logging, and encryption of the applications.
Major cloud players such as AWS, Google Cloud, Microsoft Azure have their GDPR regulations in place. The smaller vendors need to follow suit. The ultimate onus of fulfilling GDPR regulations lies with the cloud customer only.
- Conduct an internal audit
As mentioned, PII includes a lot of sensitive information that can be compromised or leaked. Data security and breach is a top concern with most internet users today. In many surveys, customers have admitted that they hesitate to engage with companies that ask unreasonable personal details. With every high-profile data breach case, the stranglehold around companies becomes tighter.
GDPR is an opportunity for companies to take an objective look at the kind of data they are collecting from customers. Is so much data actually required by the business? What about the existing data within the system? Is it outdated or irrelevant in present situation? If so, it is advisable to dispose it and make your database as lean as possible.
Since cloud applications require exchange of customer data with vendors, an internal audit will ensure that minimum sensitive information passes hands.
- Be proactive about security
Big name cloud providers such as Amazon, Google Cloud, and Microsoft AWS have the following security features in place:
Access: Using IAM, administrators can drill down upon granular-level permissions for each user and service. You can leverage MFA or multi-factor authentication to segregate high-level permissions to users.
Encryption: You should encrypt data that is in transit between internal cloud services. Similarly, data at rest should also be encrypted to fool-proof it. AWS’s key vault and key management services can be deployed for enabling encryption.
Monitoring: You can use monitoring services offered by AWS such as CloudTrail and Security Center, and CloudWatch by Amazon to plug loopholes in your cloud processes.
Threat Detection: Specific services in AWS and Amazon help to spot malicious URLs and suspicious activities and plug them at source.
- Empower your teams
You need to keep a watch on your hiring and training processes so that your staff is capable of creating and deploying GDPR-ready applications. Encourage cloud teams to follow security best practices regarding data access and exchange. Keep upskilling workforce to bridge skill gaps and extract maximum productivity. Try to keep ahead of the next technological disruption by monitoring the global trends and challenges.
The technology space is always evolving and you need to remain up-to-date at all times. A loss of personal data will not only invite GDPR’s ire but also show your company in poor light. It is imperative that you follow advancements in the security domain.
Watch this space for the latest news on security and compliance.
To know more about iView Labs, kindly log on to our website www.iviewlabs.com and to get in touch with us with your queries and needs just write us an email on firstname.lastname@example.org and email@example.com.
Download the latest portfolio to see our work.