The Cloud and the EU GDPR: Six Steps to Compliance
by Andy Aplin, Regional Director of Solutions Architecture, Netskope
The information technology community has been talking about the pending EU General Data Protection Regulation (GDPR) for some time now. The GDPR Is the European Commission’s pending data privacy law that will levy penalties of up to 5 percent of a company’s global turnover and supersede all existing legislation. It’s set to be decided in 2017 and implemented in 2018 and beyond.
There’s something that’s been missing from this conversation, though, and that’s how to handle cloud apps. You know, like Salesforce, Concur, Expensify, Workday, SuccessFactors, Box, Dropbox, WeTransfer, and more. The apps your business increasingly depends upon, and that an increasing number of people and lines of business are going out and procuring without any help (or oversight!) from IT.
According to our latest Netskope Cloud Report, the average European enterprise is using 608 cloud apps. Despite increased awareness on the part of IT over the last year or so, organisations underestimate this figure by about 90 percent. This is shadow IT in a nutshell, and of course, raises the question of how cloud-consuming organisations can ever hope to comply with the GDPR if they don’t know 90 percent of the apps people are using.
We collaborated with Jeroen Terstegge with Privacy Management Partners in the Netherlands, who specialises in data privacy legislation, to make sense of the pending GDPR as it relates to cloud. We identified six things cloud-consuming organisations need to do to comply if they serve European customers (this is all fleshed out in the white paper we just released):
- Know the location where cloud apps are processing or storing data. You can accomplish this by discovering all of the cloud apps in use in your organisation and querying to understand where they are hosting your data. Hint: The app vendor’s headquarters are seldom where your data are being housed. Also, your data can be moved around between an app’s data centers.
- Take adequate security measures to protect personal data from loss, alteration, or unauthorised processing. You need to know which apps meet your security standards, and either block or institute compensating controls for ones that don’t. Netskope has automated the discovery process by measuring cloud apps against 45+ parameters with our Cloud Confidence Index, so you can easily see where apps are lacking and quickly compare among similar apps.
- Close a data processing agreement with the cloud apps you’re using. Once you discover the apps in use in your organisation and consolidate those with overlapping functionality, sanction a handful and execute a data processing agreement with them to ensure that they are adhering to the data privacy protection requirements set forth in the GDPR.
- Collect only “necessary” data and limit the processing of “special” data. Specify in your data processing agreement (and verify in your DLP policies) that only the personal data needed to perform the app’s function are collected by the app from your users or organisation and nothing more, and that there are limits on the collection of “special” data, which are defined as those revealing things like race, ethnicity, political conviction, religion, and more.
- Don’t allow cloud apps to use personal data for other purposes. Ensure through your data processing agreement, as well as verify in your app due diligence, that apps state clearly in their terms that the customer owns the data and that they do not share the data with third parties.
- Ensure that you can erase the data when you stop using the app. Make sure that the app’s terms clearly state that you can download your own data immediately, and that the app will erase your data once you’ve terminated service. If available, find out how long it takes for them to do this. The more immediate (in less than a week), the better, as lingering data carry a higher risk of exposure.
Of course, if you end up accomplishing some of these steps via policy, make sure you can take action whether your users are on-premises or remote, on a laptop or mobile device, or on a managed or BYOD device.
Learn more about how to implement these steps in our complimentary webinar on Thursday, December 3, at 10AM GMT/11AM CET. Privacy expert Jeroen Terstegge will join me, and together we’ll provide a deep dive into the nuances of the GDPR as it relates to cloud apps, as well as offering a practical framework for complying with the pending law.