Organizations must be clear they will still have to meet the legal requirements of The General Data Protection Regulation (GDPR) which comes into force in 2018. GDPR will be the broadest legislation yet in governing the security and management of both customer and staff personal data –those that don’t comply will feel the savageness of its bite.
GDPR has been designed to strengthen and unify data protection for those within the EU and address the export of personal data outside the EU. It also means that organizations from the US processing data on EU citizens must adhere to the legislation, even if they have no presence in any European nation. Thus operators of US-hosted commercial websites or mobile apps may fall under this legislation, along with a number of US-based service providers who support European retailers.
The regulation will give citizens back control of their personal data and simplify the regulatory environment for international business by unifying legislation within the EU. It will be applicable across all 28 EU states, with a single target date for implementation – currently 28 May 2018.
The GDPR will have major repercussions for both cloud-consuming enterprises, cloud vendors, IT and associated security teams who will need to start ring-fencing resources to prepare for and comply with the new legislation.
For those that don’t comply, the fines will be high. Sanctions include regular periodic data protection audits and a fine up to 20 million euros or up to 2% of the annual worldwide turnover of the preceding financial year for an enterprise, whichever is greater.
Big changes ahead
The GDPR is extremely broad, but one of the biggest revisions is the proportioning of responsibility. Previously only data controllers were responsible for data processing activities, but the new legislation applies to everyone who comes onto contact with the personal data, including service providers.
There is also a sweeping change in reporting data leaks. GDPR will require organizations to notify data protection authorities of any data breaches, “where feasible” within 72 hours, unless the breach is unlikely to result in a risk to the rights and freedom of individuals. This in itself could be potentially onerous for enterprises.
Data controllers will also have to conduct Privacy Impact Assessments (PIAs) where privacy breach risks are high to minimize risks to data subjects.
The controversial “right to be forgotten” is incorporated into GDPR. This basically gives users the right to have their data erased held my companies at any time. As data processors, cloud service providers, for example, will have to erase personal data if requested to do so by the controller.
GDPR also hardens its grip on rules around obtaining valid consent to use personal information. The legislation requires all organizations collecting personal data to prove that they have very clear and affirmative consent to process the data in question.
In addition, data protection officers (DPOs) must be appointed for all public authorities, plus enterprises where the core activities of the controller or the processor focus on “regular and systematic monitoring of data subjects on a large scale” or where large-scale processing of “special categories of personal data” are made.
Are you GDPR ready?
These are just a few of the transformations that GDPR will bring. But it seems that many organizations are ill-prepared for GDPR. According to a survey carried out by Ipswitch more than half of respondents worryingly could not accurately identify what ‘GDPR’ is. In addition, 52% admitted they were not ready for GDPR. 69% of IT professionals also believed they will have to invest in new technologies and services to prepare for the impact of GDPR.
Preliminary results of a survey by the conducted by the Centre for Information Policy Leadership (CIPL) in conjunction with AvePoint also underscore the fact that most businesses are not GDPR compliant yet, despite it being on their radar.
It appears applications are not GDPR ready either. According to research by Netskope, 75% of more than 22,000 apps it tracked would not stand up to EU data privacy scrutiny. The majority of these violations (73.6%) came from cloud storage apps. Key features lacking were the timely deletion of personal data and breaking data portability requirements.
Two years isn’t long
2018 may seem like some time away, but enterprises should not abandon this issue in the ‘pending’ tray. GDPR compliance will be a challenge in itself for many enterprises and not an effort that can be left until the last minute.
To begin with, enterprises need to start auditing their IT estate now and create or update policies for personal information handling and security, including security breach notice procedures and risk evaluations. They also need to review data protection in contracts with providers and customers that may be in effect in May 2018 or later. Those that need to will also need to start training up or recruiting DPO officers.
A shift to cloud computing and its inherent complexity has already created security challenges for enterprise IT teams. GDPR will only pile on the pressure. It is imperative that enterprises take steps to know where their data is both within the organization and in clouds and understand the obligations they have under GDPR to manage it. Those that don’t will be in for a very turbulent ride.
To learn more about how GDPR can affect your company, read our exclusive GDPR paper here.