Research has shown disparity in how many companies think they are ready for GDPR versus how many actually are prepared. Don’t be caught in the trap – minimize the scope of GDPR by considering these important questions.

Some recent research from Veritas that surveyed 900 decision makers from organizations around the world has caught my eye this week. The study looked at how ready a company thinks it is for the General Data Protection Regulation (GDPR) versus how ready it actually is based on some follow up questions designed to gauge GDPR readiness.

Of the 31 % of decision makers who stated that they were compliant already, only 2 % could demonstrate that they were indeed compliant. As with any regulation of its kind, there is bound to be some teething problems, but GDPR comes into force on 25th May 2018 – in less than a year. And with the disparity of the figures coupled with the fact that only two percent of organizations are able to show they’re compliant at this stage, it is a real problem that needs to be tackled by the industry, and quickly.

In particular, there is one big GDPR myth that needs to be dispelled; and that is what cloud service providers (CSPs) are responsible for security-wise.

Almost half of the respondents who said they were compliant with GDPR considered it the sole responsibility of the cloud service provider (CSP) to ensure data compliance in the cloud. This confusion is one that needs to be debunked and a point that every organization who puts data in the cloud needs to be crystal clear on.

In reality, the CSP is only responsible for the security of its own infrastructure – not your data.

The protection of data is down to the “data controller” according to GDPR guidelines.  The “data controller” is the source of the data and therefore in most cases will be the organization that puts the data in the cloud.

The best way for enterprises to guarantee the security of sensitive data in the cloud is to encrypt it before it goes into the cloud. Organizations need to remember that the security of their customer’s, employee’s and other sensitive data is their responsibility – not someone else’s. There are a few questions to ask when looking for a solution for data encryption that will help when it comes to minimising the scope of GDPR:

1. Is it open source? Only open source solutions can provide the peace of mind that there will be no backdoors that could potentially be used to exploit data in the future.
2. Who controls the keys? The “data controller” should remain in control of the encryption keys. This way, even if data is stolen from the cloud – it’s unreadable to anyone except the data controller. According to GDPR guidelines if a breach is “unlikely to result in a risk to the rights and freedoms of natural persons”, then the organization may not need to report it.
3. Does it protect data at rest, in use and in motion? A lot of so-called encryption solutions will only encrypt data once it reaches its destination, which is insufficient under GDPR guidelines which stipulate that sensitive data must be protected for its entire lifecycle.
4. How useable is the data once it’s been encrypted? OK, so this one is less about GDPR and more about the organization being able to use the data one it has been protected. After all, if the encryption solution makes the data infinitely more time consuming to search and process, then the business can be adversely affected – and that’s not good for anyone.

By focusing on the first three points, it will go a long way towards GDPR readiness; and the fourth, though not entirely focused on GDPR, is still incredibly important from an operations and usability standpoint. We also know that historically if technology makes it harder for someone to do their job, it will just get bypassed. The eperi Gateway satisfies these requirements and more – head on over to the solutions page to check it out.