Another data exposure where organizations are still holding sensitive personal data unsecured on cloud servers. More poignant when you consider the sensitive nature of the US security clearance of individuals - mostly US military veterans job seekers.
BY RAVI PATHER, EPERI
Let's use this recent case to remind ourselves that under the upcoming EU General Data Protection Regulation (GDPR) Personal Identifiable Information (PII) and sensitive PII data would fall under strict data protection guidelines and principles of GDPR.
Failure to comply will result in fines of up to 4% of group revenues. A motivation to therefore assess such risks within your organizations. Various surveys are identifying enterprises are not on track nor prepared for the new GDPR regulation that comes into effect in May 2018.
Lets explore this case and as a case study apply it to principles and guidelines of the GDPR making an assumption they were handling and processing EU citizen data. An US based security firm hires a third-party recruitment firm. Let’s assume under GDPR, data consent and data minimization processes were completed and it was necessary to store and process such personal data.
Under GDPR, the storage of such personal data in a 3rd party cloud (data processor) environments would have been identified as high risk to the data subject because of being stored and processed in the cloud on third party data processor systems.
This high-risk scenario would therefore require a Data Protection Impact Assessment (DPIA) to be completed. Under GDPR rules, failure to complete a DPIA could result in a fine of €10 million or 2% of group revenues. The GDPR guideline is: if in doubt about the need to complete a DPIA, complete one anyway or consult the DPA.
Assuming a DPIA has now been completed, under GDPR guidelines the risks identified in the DPIA of processing PII and sensitive PII data in a third party cloud data processor environment have to be mitigated.
Under GDPR the principles of "Security by design and by default" (Article 25) and "comprehensive security" (Article 32) are a set of guidelines to protect PII and sensitive PII data using protection techniques of data pseudonymization (Recital 28) and data anonymization (Recital 26) when working with third party cloud service providers or data processors. These are well documented. A data sheet from eperi summarizes these principles.
Rather than seeing GDPR as an onerous and heavy set of legal requirements and rules, enterprises should see GDPR as data protection best practice for storing and processing personal data for both on premise and cloud based application architectures and most importantly, if implemented correctly then it should be seen as a corporate risk mitigation to avoid GDPR fines of up to 4% of group revenues.
GDPR Data Breach Notification Article 34 states; The communication to the data subject shall not be required if data affected by the personal data breach, in particular those that render the data unintelligible to any person who is not authorized to access it - such as encryption.
As a case study, if the US security firm (controller) and the recruitment firm (processor) were handling personal data of EU citizens, under GDPR Regulations, they would have equally been on the wrong side of the law and facing GDPR fines of up to 4% of group revenues.
How many enterprises are using cloud SaaS applications such as Office 365, Salesforce, Dynamics etc. These are regarded as 'data processors' environments under GDPR and most likely PII and sensitive data is being stored and processed. Has your organization completed its DPIA?
eperi Cloud Data Protection solutions can help protect PII and sensitive PII data before it leaves the enterprises network (this is part of implementing GDPR 'Security by design' principles) and is stored and processed as encrypted data and classified as pseudonymized data helping enterprises reduce the scope and mitigate the data compromise risks for GDPR when using a third party data processors.