While it is vital for organizations to understand the forthcoming General Data Protection Regulation and what it means for their use of sensitive data of EU citizens, it is also important to look at what could be holding companies back in order to adequately address issues.
The Current State of Cloud Projects
We surveyed 250 security professionals at a major European security event to get some unique insight into how data security, particularly in the cloud, is viewed in light of the new regulations.
For example, though 90% of surveyed professionals claimed data security formed part of their decision to move applications to the cloud, over half said GDPR would stop them from putting sensitive data in the cloud. A further 50% said that they have avoided using cloud SaaS applications due to perceived security risks and for 85% of those, it was due to the protection of sensitive data being a concern.
Another alarming stat was that half of professionals surveyed had experienced a delay or stoppage in a cloud project due to data compliance issues with the cloud provider. In all, 72% said that they would be re-evaluating their data security requirements in the cloud due to GDPR.
Indeed, reassessing cloud data security practices when it comes to controlling sensitive data is a wise move, but it is crucial that the focus is in the right place. Particularly when we look at the fact that 20% of professionals responded that their company’s sensitive data in cloud Software as a Service (SaaS) applications such as CRM like Salesforce or email like Office 365 is not encrypted.
Though there are quite a lot of steps organizations and cloud providers take to secure their IT infrastructures, hackers nearly always can find a way in. Therefore, for modern business, the emphasis is shifting and it’s not a question of how safe is my cloud SaaS data centre anymore, but rather about the data itself. And this is extremely important for GDPR, as the regulation is also laser focused on the protection of sensitive data.
Where once IT security controlled the IT and data security, the scales have tipped in favor of compliance and it is becoming a massive driver for any business decision involving sensitive data. IT departments now need to become the implementers of solutions that meet these data compliance requirements.
Encrypting or tokenizing data means that it is scrambled by an algorithm to such an extent that it is rendered unusable to any unauthorized party attempting to access it. The only way to decrypt the data is to use a key, which ideally should be under the control of the organization who owns the data.
In the next instalment, we will look at encryption in more detail and how to go about doing it right when it comes to the cloud to put organizations in perfect footing to meet new GDPR compliance requirements.
EU GDPR: The Essential Facts at a Glance - Series:
Part 3: The Current State of Cloud Projects