IT security, infrastructure or operations have long been responsible for an enterprise’s data security requirements when various business departments look to the cloud and Software as a Service (SaaS) business and collaboration applications to drive business advantage, improve collaboration and become more efficient – and as such gained a reputation for just saying “no” in the name of security. But with the looming General Data Protection Regulation (GDPR), there is a new sheriff in town: the Legal and Compliance departments who now have to drive data compliance from a corporate governance point of view.
BY RAVI PATHER, EPERI
Motivated by fines of up to 4% of global revenues, data breach notification naming and shaming and resulting brand damage, this has become a corporate risk item and the management of this risk item ultimately now sits with the CEO and board.
Organisations must acknowledge that data security is not the same as GDPR legal data compliance regulations and in fact, “security” is becoming a much broader issue within the business. As such, organisations must approach security and compliance within a broader context involving stakeholders across the business (i.e. the data controller) to take a corporate stance. This involves acknowledging what constitutes sensitive data and then applying data compliance and data control, especially when leveraging the power and advantage of cloud SaaS business applications (data processor).
Any modern business will know the scenario: The HR/Sales/Marketing director, in a bid to drive collaboration or increase productivity, finds the perfect cloud SaaS application to streamline business functions. S/he forges on full steam ahead in effort to solve the immediate business problem, placating security operations with reassurances that the SaaS vendor uses encryption and therefore keeps the data “safe.” It uses https as a secure connection as business data is shuffled to and from the cloud. It has a secure data centre with security experts working around the clock to ensure availability and keep hackers out. This is great; the cloud offers amazing business benefits and is secure and cost effective to boot. It’s a sure winner, right?
Yes and no. The cloud is an incredible option for businesses looking to become more agile and efficient. Yet, companies that jump in blindly without methodically considering the data first and foremost could end up not meeting basic compliance under GDPR, which very clearly sets out various data security and other principles in the responsibilities and treatment of PII (personal identifiable information) and sensitive PII data a structure for data controllers. This includes any third-party organisation (data processor) that handles the personal data of any EU national.
What it means
The enterprise’s legal, risk and compliance teams must essentially become the custodians of the business and apply corporate governance. Where once IT security controlled the IT and data security, the scales have tipped in favour of compliance and it is becoming a massive driver for any business decision involving sensitive data. IT departments now need to become the implementers of solutions that meet these data compliance requirements.
Therefore, if we revisit the example above, the reality is that the SaaS vendor’s assertion of the “safety” of a business’s data has very little to satisfy the specifics of data compliance under GDPR. Just because the SaaS vendor encrypts data at rest, doesn’t ensure that the organisation is in control of that data, or meets its compliance requirements - even less so if the vendor itself manages all or even part of the encryption keys. The basic principle of pseudonymised data under GDPR cannot be demonstrated when the SaaS vendor manages the encryption or has part access to the keys.
Moreover, even using a secure https connection between the organisation does not ensure data security, as the vulnerabilities at either end of https tunnelling are well documented in the industry.
The key here, and something that is very well laid out in GDPR principles, is data control. Specifically, if sensitive encrypted data was intercepted or compromised - can it be reversed? If the answer is yes, then it is still regarded as data and therefore it is treated as data and is subject to GDPR principles.
In the past, this has been interpreted as a general Data Residency requirement on a country by country basis, with different mandates depending on location and jurisdiction. With GDPR, the guesswork is taken away and the onus is very much on the organisation as a data controller to assume the ultimate responsibility for its PII and sensitive PII data when using third-party data processor systems.
Tips for businesses as Data Controllers
Business owners should not be confused by a SaaS vendor claiming GDPR compliance is met as their PII and sensitive PII data is encrypted at rest. In all likelihood, it is safe, but that is not the same as being in control of the PII data and meeting the many principles of GDPR compliance and security. For modern business, the emphasis is shifting and it’s not a question of how safe is my cloud SaaS data centre, but rather about the data itself. A responsible and well-organised enterprise will understand all of its legal compliance requirements and take the appropriate steps to meet these requirements - perhaps now motivated by fines of up to 4% of global revenues and data breach notification naming and shaming and resulting brand damage. This can be covered in three basic steps:
- Understand what data is going to the cloud – is it business critical? Does it include personally identifiable information (PII) such as names, contact details financial or heath records, purchase information; or sensitive PII data: salary information, racial/ethnic origin, sexuality, religious beliefs etc?
- Data classification - Know what data is subject to which legal or compliance requirements by geography.
- Implement systems to help set policies and control that data to meet compliance regulations when data is going outside of the organisation (see GDPR principles of centralisation, privacy by design and comprehensive security)
Bear in mind, too often historic tools for managing compliance, such as Data Leakage Prevention (DLP) or now Cloud Access Security Brokers (CASB), act as barriers and block information before it enters the cloud and that is unhelpful to modern business. Instead, organisations should focus on technology solutions such as Cloud Data Protection (CDP) solutions that can encrypt or tokenise the PII data itself, even in motion to the cloud, at rest and in use, and make it useable to organisations by offering advanced search and sort functionality. Importantly, the control – for example, encryption key management – should always be fully retained by the organisation and not the SaaS vendor in order to meet compliance and data control standards.
Where once IT or the CIO made the tough decisions regarding cloud and business applications, GDPR moves the emphasis to Data Protection and control. The age-old conflict between business, IT and Legal/Compliance sees renewed focus shifted onto Legal and Compliance as data control becomes an item of corporate risk to avoiding fines and penalties put forth in the impending GDPR. Only by realising that data control is the biggest issue for compliance, and taking steps to classify and then implement advanced cloud data protection solutions before the PII and sensitive PII data moves outside the organisation’s control and introducing a system for controlling the data, can compliance and security live in harmony. If managing corporate risk means there will be no need for data breach notification in the event of data compromise assuming the principles of data pseudonymising have been met, it reduces the scope of GDPR and becomes a sure a step in the right direction.