New data protection regulations are instituted all the time. Here are three important regulation requirements your company should know about if you depend on cloud apps and services.
New data protection regulations take effect next year, primarily the European Union’s General Data Protection Regulation (GDPR). This new set of laws will govern how enterprise companies and other organizations protect user data, and help secure the personal information of customers from the ever-growing threat of Internet attacks.
Failure to comply with these guidelines could result in heavy fines up to four percent of a company’s global annual revenue, so it’s important that businesses in charge of customer data take steps towards stronger cybersecurity now—especially if that data resides on third-party cloud services such as Office 365 or Salesforce.
Here are three important requirements you should know about if you depend on cloud apps.
Both the data controller and data processor must be secure.
Perhaps the most important thing to understand is the sharing of responsibility between data controllers and data processors. A data controller could be an organization like a bank, which would use a cloud service company (the data processor) to store credit card information. If any kind of data breach occurs, then both parties share responsibility. If your company uses a service that does not comply with the GDPR, you won’t be able to blame that company for the data breach. Data controllers must institute policies and procedures to ensure data processors take appropriate security measures to defend the personal data of customers and employees. In other words, enterprise companies need to ensure the cloud services they depend on are compliant or they risk steep penalties.
It doesn’t matter where your cloud data is located, it better be safe.
If your enterprise company is within the EU, and your cloud service provider is physically located in the United States or elsewhere, both companies need to comply with GDPR standards. That’s right; even though the GDPR is a European Union law, it pertains to companies with a global presence. That means data belonging to EU businesses or citizens that’s stored in and transferred between a U.S. cloud service app must be secured with strong data protection measures at both ends. If a user’s private information passes from the U.S. to the EU, and vice versa, that data must be secure at every point.
Sensitive data should be audited, pseudonymized, and handled carefully.
Under the GDPR, cloud companies must know where its personally identifiable data is located and maintain an inventory of all subject data to effectively protect it. With the possibility of swaths of unidentified data stored across databases, the cloud, and other systems, many enterprise companies will have to enact protocols and procedures to discover, organize, and report on any sensitive data they store. Most importantly, companies should consider to encrypt and pseudonymize that data, which renders information “in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information.” Cloud providers could also be asked to delete information about a customer or business if requested to, and the customer or business will be allowed to move data from one cloud service to another.
Operating a cloud service is all about building and maintaining trust and taking responsibility of management of customer and business data. The above data protection regulations are among the most important steps you can take to comply with the new, oncoming guidelines.