On 25 May 2018, the day will finally be here: The EU GDPR enters into force and with it, a large body of work and efforts in relation to the protection of privacy and personal data. Front and center is what’s known as the Data Protection Impact Assessment as well as other audit and documentation obligations imposed on companies using commissioned data processing and cloud services.
One thing, at least, is clear: the EU GDPR represents a significant tightening of regulations on external data processing and codification as part of harmonization work on EU-wide data protection. So what are the key changes for the many data controllers in mid-sized to large enterprises?
It’s true that the GDPR does explicitly provide for the processing of personal data even outside the EU, and independently of whether the data processor (such as the cloud service provider) is based inside or outside the EU. However, this comes with various provisos attached. As one example, the cloud provider selection criteria have been dramatically tightened, since these providers can themselves become data controllers once they independently determine the purpose of data processing.
Other regulations have also been tightened – some considerably – for data controllers and external data processors, especially as regards responsibility for data processing and the question of liability in the event of breaches of GDPR rules.
Who is responsible for the data: the company or the cloud provider?
The GDPR stipulates that not only the client who commissions the external data processing can be held liable for any breach of GDPR rules but, in addition, the external data processor as well. In the future, it will therefore be true that the person responsible for data processing and the data processor are held jointly liable.
Data controllers have special obligations under the GDPR
Companies - as data controllers - are given a whole series of duties – and these should be taken very seriously indeed. First and foremost, they must ensure – and be able to prove – that the processing of personal data is performed in compliance with GDPR rules at all times. These rules include compliance with certain basic principles such as data pseudonymization and encryption, data minimization, complying with the processing purpose, and so forth. Taken together, they also specify which data may be processed and stored to which extent and for how long.
GDPR compliance: a laborious task for businesses
Companies face a major set of challenges any time personal data are processed. The actual volume of sensitive data is irrelevant – even storing an employee’s CV or a customer’s email or street address is sufficient. Taken together, the steps required to document the measures that have been taken to protect these data result in a high level of effort – which is felt in particular if these data are not stored and managed by the company on premise but in a cloud environment.
It’s therefore an immense help if prior encryption and pseudonymization have been used to ensure that sensitive data do not even arrive at the cloud provider in plaintext form: in this case, they are not in scope of the GDPR rules, since they can in no way constitute a data protection breach on the part of the cloud provider.
eperi and GDPR: a way to reduce the auditing workload for data controllers
As the discussion above has shown, both the implementation and documentation of the corresponding protective measures in a GDPR context represent a significant workload. Not least because new features and services are regularly offered in a cloud context – and all of these need to be audited for their reliability, integrity, and security in relation to personal data. Accordingly, the Data Protection Impact Assessment (DPIA) required by the GDPR takes on the role of a kind of early-warning system that offers quicker and more reliable detection and elimination of potential vulnerabilities. The DPIA analysis process enables full transparency for all responsibilities, and so provides information about the data protection measures that are necessary.
These and other aspects make it clear that companies for whom the use of cloud services forms part of the company’s IT strategy are required to invest a considerable amount of time and resources if they wish to satisfy the high standards required by the EU GDPR.
eperi Cloud Data Protection (CDP) will help you take the regulatory hurdles in your stride.
This is where eperi enters the game. Since with the help of the eperi Gateway, the specific requirements for protecting sensitive personal data can be satisfied with relatively little effort. Thanks to the eperi solution, companies retain sole control of their data protection processes and can so guarantee compliance with the stringent GDPR standards if cloud services are utilized within the company. Accordingly, the auditing effort and the associated documentation requirements are reduced merely to the precautions and data protection measures deployed within the company.
This approach also offers another advantage: if the company is using a cloud service provider (CSP) that deploys its own internal encryption method, the data controller must first spend time and effort verifying that the CSP complies with GDPR in full. This involves answering a whole series of questions, including:
- How does the CSP ensure that a data breach is detected and prevented, and how does the CSP verify which data are affected by the breach?
- How does the CSP guarantee that the data controller can report a data protection breach following discovery within 72 hours to the respective authority?
- Where exactly are the sensitive data (and backups) stored, and who has access to all these systems?
With eperi’s help, all of this can easily be sidestepped. Very neatly indeed.
Data encryption before data find their way to the cloud
The magic formula for all of these use cases is ‘use data encryption’. This enables all sensitive data to be rendered illegible to unauthorized parties before personal data even take a single step in the direction of the cloud. For mid-sized or larger enterprises in particular, this means they can keep full control of their personal data, and so fulfill the stringent regulations relating to data protection conformity ‘on the fly’, so to speak.
And that’s not all. Thanks to the transparent encryption of cloud data, a whole host of risks that could potentially arise when selecting a suitable cloud model or the corresponding cloud service provider can be simply and elegantly ‘put to bed’. After all, who can say that the short-listed cloud provider really takes the strict rules of the GDPR as seriously as they actually should do?
The EU GDPR does call for standardized approaches to certification and these should also be encouraged as appropriate. But as long as no common and binding standards actually exist, these certificates are probably not worth much more than the paper they are printed on. With eperi-style encryption, the whole discussion about the ‘right’ cloud provider effectively disappears into thin air.
Office 365, Salesforce, or other cloud applications: the eperi gateway as the single point of control
With the support offered by the eperi solution for popular cloud applications like Office 365 or Salesforce, companies can now ensure that particularly sensitive personal data are given all-round protection at all times from unauthorized access. Neither the cloud provider nor any other external data processor receives access to the data, since the key remains under sole control of the cloud user – i.e. the company itself. This establishes a master checkpoint for data protection and encryption management that guarantees the data controller sole and absolute control over the encryption and tokenization processes.
What’s more, eperi Cloud Data Protection also means that the data encryption has no effect at all on the cloud platform and its technical components, also ensuring that all key application functions are retained while offering fully-featured usability for the end user. And all of this with relatively little set-up work.
Conclusion: Achieve GDPR compliance for your cloud data with eperi
In conclusion, one can say that companies who decide to use the services offered by the eperi Cloud Data Protection solution will take a major step in the direction of GDPR compliance. And not least because they reduce their data protection workload in one stroke to a level that some data protection officers would envy. Last but not least, this cloud encryption solution offers the right mix of data control, data protection, and usability for the familiar cloud applications such as Office 365, SharePoint, SalesForce, as well as for other applications.
Recommended for You