Data Privacy and Security

GDPR and the cloud: Three tips for businesses

This is a contributed piece by Eduard Meelhuysen, Vice President Sales EMEA at Bitglass


It’s one year until the European General Data Protection Regulation (GDPR) will be enforceable. The regulation gives individuals the right to ask businesses for detailed information about how their personal data is processed. Businesses themselves are also subject to monitoring by national supervisory authorities. This means that they need to pay attention not only to data security, but also to the visibility of their data processing operations. 

Businesses have special responsibilities in connection with the use of cloud applications. Although the GDPR discusses a sharing of responsibility between cloud users and cloud service providers (CSPs), it is ultimately the cloud user – the business – that is accountable for customer data in the cloud. This is because, under the GDPR, the business is responsible for ensuring that customer data is only used in ways the customer has consented to, regardless of where it resides. 

This is a big challenge that will require a number of resources. During the next 12 months, businesses need to ensure that they prepare for GDPR by getting their cloud data processes up to scratch. Here are three steps to make this happen:


Track down business data

The IT department should work closely with management to draw up a directory of procedures. The directory should summarise how customer, personal and company data is collected and handled. Personal data includes details such as an IP address, by means of which a customer can be identified. Similarly, businesses that utilise the cloud must identify all customer data that moves to and from the cloud, and figure out how it’s protected once there. This will be things like content data that’s transferred into email cloud applications, or traffic data that’s moved by certain website analysis tools. This too should be put in the directory. 

Identifying what data has and is moving to the cloud is no easy task, but it has to be done. It is important to ensure that all relevant managers are involved in the process and that actions are coordinated between the team. Don’t leave this until the last minute! Drawing up a directory of procedures and attempting to get customer consent on the eve of GDPR won’t work. A solid directory takes time. The in-house Data Protection Officer required under the GDPR should therefore be appointed as soon as possible, and he/she should ideally be in charge of coordinating GDPR-related processes, to ease the burden on busy IT teams. 


Identify data processes carried out by CSPs

Once the directory of procedures has been produced, you should ask your CSP(s) for a copy of their own directory. A comparison of the two will enable you to identify how your data is processed by the CSP. If the CSP’s data processes are different from your own, you might need to gain further consent from your customers. 

The GDPR also refers to potential certification for CSPs. This would likely take the form of a quality seal that would aim to provide businesses with a good indicator of a potential provider’s level of data protection and security. Some CSPs may then use this quality seal as a competitive differentiator. However, there is no uniform standard for CSPs and certification would remain voluntary. With this in mind, businesses should inspect CSP’s data processing activities thoroughly, and consider the CSP’s use of security tools like Data Loss Prevention (DLP). If a business chooses a CSP that doesn’t look after its data properly, it is the business that will have to pay the fine, so caution is a must.  


Avoid shadow IT and train your staff

The changes introduced in the GDPR mean that companies need to pay closer attention to who, how and where company data is accessed. In other words, which employee is accessing company data and on what device. For example, it should be more or less impossible for employees to access customer or company data on an unsecured private device, such as their own mobile. If they can access this data from home, they can save it wherever they like or send it to another cloud app – all without the IT team knowing or the customer’s consent.  Similarly, if the company email server goes down, staff must be informed that using their private email accounts to conduct business is a no-go – even if they need to urgently contact a customer.

Such occurrences are not unheard of and are undoubtedly in conflict with the GDPR. To remedy this, a code of conduct regarding data security must be laid down for employees. Precautionary measures of this sort require the support of both the Data Protection Officer and management. Technical precautions such as encryption of cloud data and mobile device management technologies can also reduce these risks. It is also important to review privileges lists of who can access what data within the company, so that it is easier to limit or segment access to sensitive data without permission.

The GDPR transfers applicable case law to the digital world. But this is unchartered territory and we don’t yet know how it will work out for businesses and cloud service providers in practice. Introducing GDPR-compliance processes is a major business challenge, although more so for some companies than for others. In the long term, however, it gives companies an opportunity to distinguish themselves from their competitors and expand their customer base. Undoubtedly, it’s worth being thorough in your approach to data security right from the start, both within the company’s IT system and in the cloud.


« What hybrid IT really means for your organisation


This month in tech history: Hotmail launched »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?