The GDPR begins enforcement in May and it will change the cloud service landscape forever. Here’s how.
The European Union’s General Data Protection Regulation (GDPR)—which hopes to crack down on enterprise companies’ treatment of user data in hopes of preventing and mitigating the damage of data breaches—has technically been ratified and in effect for a while now. But full-on enforcement begins May 25, 2018, which gives companies and cloud services responsible for collecting and processing customer data a small grace period to comply to the new legislation, hire new IT employees, improve customer trust, and implement the new security standards necessary to adequately protect that information.
Here are five ways the GDPR will affect cloud services:
First: The GDPR doesn’t just affect cloud services in the EU.
Second: Cloud services might need to do some extra hiring.
Article 37 of the GDPR states organizations must hire a Data Protection Office (DPO) to make sure the company’s core activities are monitored on a “large scale.” It’s up to this DPO, who be hired or contracted, to educate employees and make sure they understand the GDPR, and to ensure their data policies are aligned with the GDPR. Those polices should include a privacy assessment of any new cloud-related products, platforms, or services, audits, security risk assessments, and data anonymization and pseudonymization.
Third: Cloud services must tighten security.
Speaking of which, cloud services must make security a paramount concern. The personally identifiable information of customers and employees that passes through or gets stored in a cloud service must be safely encrypted and pseudonymized, or rendered unusable to any malicious outsiders who gain that data through a breach. Any deleted or lost data must also be restored in the event of an incident, and security measures must be systematically tested.
Fourth: Cloud services must allow for transparency.
The GDPR requires companies provide transparency when it comes to the data of customers and employees and how it’s collected, processed, stored, and used. Cloud services need to provide that information to data subjects “using clear and plain language” in writing or by electronic means. Also, cloud services in control of data must notify data subjects and regulators about breaches within a few days after discovery of such an event.
Fifth: Cloud data must be flexible and ready to move.
In addition to notifying data subjects about breaches, cloud service companies must know exactly what kind of data they have, where it’s located, and whether it can be moved at a moment’s notice because data subjects have the right to withdraw consent and move their private material to another vendor. Therefore, it’s vital for cloud services to display flexibility and the ability to adapt to the wishes of customers, employees, and regulators.
The days of lax cyber security, opaque practices, and flimsy customer protections are over. As previous articles about GDPR have stated, the penalty for non-compliance can be steep: fines up to four percent of global annual turnover. But the real motivator should be enhanced customer confidence and the potential for a world without catastrophic data breaches.