In the first part of our getting to grips with GDPR series, we covered the new regulation and what is meant by data controllers and data processors as well as penalties for failing to take proper precautions when protecting EU citizen’s Personally Identifiable Information (PII). This time, we will look at what this means in the context of the cloud and what companies need to realize when making a digital transformation using cloud services such as Office 365, Salesforce or custom cloud applications.
Why GDPR affects the entire Organization
The cloud is a cost effective, scalable and efficient way for organizations to use powerful software without purchasing all of the various IT infrastructure to support it in-house. Some of the most popular enterprise cloud Software as a Service options are Office 365, Salesforce and Amazon Web Services. While the business benefits are many, it’s vital for every company using them to know exactly where they stand with people’s personal data and how it moves to and from the cloud.
The first thing that companies have to realize is that with GDPR, data security is not just an issue for IT any more. When we questioned 250 security professionals on who in an organization should be responsible for GDPR compliance, the top answers were the legal department, security and HR and only 40% chose all of the above out of legal, security, HR, line of business, the board and marketing.
C-level executives must realize that all departments within a company are equally important as one another when it comes to implementing security. CISOs must spend more time educating the board on information security and the risks associated if negligence is shown. HR and Legal departments need to ensure that all facets of the company are compliant with the relevant regulations and laws, especially when handling PII. This may involve the business making changes to privacy and data management practices. For example: gaining consent for the use of personal data on people it holds data about. Failure to follow simple requirements will prove costly leading to fines and reputational damage.
With GDPR designed to strengthen and unify data protection for individuals, marketing departments will see a change in their approaches when it comes to mining for data. Clear outlines need to be displayed on why you need the data and how it will be processed. An example being full consent by the individual must be given in order to proceed with data usage. Financial departments will also need to observe how they store and process PII such as ID numbers and bank details.
Under GDPR article 32, it specifically instructs that sensitive data must be protected during its entire lifecycle and at all stages of the data being processed. To ensure this law is followed, the various departments within an organization have to work in tandem. The belief that data privacy is mainly an IT issue is narrow-minded in today’s data security landscape.
That’s not to underestimate the role of the IT department, which will focus attention on managing data privacy through efficient and effective controls. They must have complete knowledge of where the data is whether it is stored in-house or on the cloud; which systems hold what particular data and be able to locate data upon request. When a data breach occurs, the IT department will lead in identifying the breach and assessing the impact to personal data. It will also be their duty to have a process in place to notify the necessary authorities and regulators of the breach within 72 hours.
It is clear then that GDPR will affect all aspects of the enterprise and should companies just focus on technology, the penalties could be astronomical. Instead a solution that combine data security, technology and compliance is needed to ensure the entire business is fully prepared for GDPR.
EU GDPR: The Essential Facts at a Glance - Series:
Part 2: Why GDPR affects the entire Organization