European General Data Protection Regulation GDPR: Three tips for cloud use in companies

The time has come in almost a year: On May 25, 2018, the European General Data Protection Regulation (GDPR) will come into force. In this way, private individuals have the right to obtain comprehensive information about the processing of their personal data from companies that they have entrusted with their data in the course of a business relationshipn. The companies are then subject to the control of state testing instances, which is why they are required not only to ensure security, but also for transparency in their data processing processes.

Company is given a special responsibility when it comes to using cloud applications. Although the GDPR provides a shared responsibility between Cloud users and cloud providers, the companies that use the cloud are finally held responsible. As a so-called processor, they roughly take up the role of a gatekeeper between their customers and the cloud providers. According to GDPR, it is now the responsibility to ensure that all data collected is only processed in the way that has expressly approved their customers and users beforehand.

A big challenge when you consider that not all companies have sufficient resources to find themselves easily into this role. In order to make the cloud front secure in the remaining 12 months, companies should currently observe the following points:

1. coordinated «search» according to company data

In order to make the IT infrastructure of the company GDPR-compliant, IT usually works closely with various departments and the management to create an overview of the processing processes of all types of data-for example personal data, content data or traffic data. The person not only provides information on the person, but other data that make a natural person determinable, for example the IP address. For companies that have already planned or have already carried out the change to the cloud, this means that they have to determine what kind of customer data find their way into the cloud in daily events and, last but not least, how they are protected there. For example, content data could be outsourced in email cloud applications or traffic data could get there via certain website analysis tools.

Depending on the capacity and personnel occupancy in the company, it is certainly not an easy job to find out to what extent the data will hike or have already hiked. But someone has to do it, or in other words: someone has to take responsibility. It is important to involve all relevant company managers in the process. However, in order to avoid responsibility diffusion, these efforts must be coordinated. It is too late to change the procedural directory and all processes associated with it – for example, obtaining the approval of customers – due to a newly introduced cloud application on the eve of the GDPR. Therefore, the company -owned data protection officer required as part of the GDPR should be appointed early and ideally entrusted with the coordination of the processes relevant to the GDPR.

2. Determine data processing on the Cloud provider side

Once the list of procedures has been created, you should ask your cloud providers to hand over your procedural directory. In comparison, it can be determined to what extent the processing method and the security standards match those of the company or, in the opposite case, to what extent they go beyond and whether an extended consent must be obtained by customers. The company's data protection declaration must be updated according to the results.

The GDPR also provides for a certification of cloud providers. The level of data protection and security of a provider is to be reliably mapped via different seals of approval. However, no uniform standards have yet been established and the certification is voluntary. It can be assumed that the seal of approval in the long term becomes a competition criterion for cloud providers. But it is not foreseeable whether all cloud providers will implement this on time until the GDPR comes into force. In order to be on the safe side in good time, companies should not be used for the time being that the mere view of a seal of approval will save them great effort. Rather, you should check the data processing processes of your cloud providers in detail and also pay attention to security functions used such as Data Leakage Prevention (DLP). In view of the impending fines that companies can affect, if the cloud providers they have chosen not, it is worth taking a lot of care when checking.

3. Avoid shadow-IT and train employees for the GDPR

With the changes by the GDPR, companies should also pay more attention to which company employees have access to which types of data and, above all, also, from which devices. It should be excluded as far as possible that after work, employees, for example, access important customer and company data from a non-secured, private device and store them as desired or process them with other cloud applications. Likewise, all employees have to be made aware that if a corporate service fails, they cannot switch to other private e-mail accounts or other freely available services in the meantime-for example, a failure of the e-mail server-in order to complete urgent correspondence with their customers. For such cases, the sensitivity of data security employees must be sharpened and conduct rules determined. Such precautions sometimes also require support from the data protection officer and the management. Technical precautions, such as the encryption of cloud data and securing all mobile company devices, can also help minimize such risks. It is also helpful to develop a right-wing roll concept in order to segment access rights and to restrict user access to sensitive data.

The GDPR creates a European standard for data protection in the digital age. In practice, how the case law will develop in the course of this will develop for cloud providers and the cloud-use companies. For the time being, the introduction of GDPR-compliant processes for companies is a major challenge-more for some, less for others. In the long term, however, this also offers companies the opportunity to stand out from their competitors with their principles for data processing and to expand their group of customers. It is therefore worth taking care of the safety of customer data from the start, both within your own corporate IT and in the cloud.

Eduard Meelhuysen, Vice President Sales EMEA, Bitglass

(47 votes, average: 4,60 out of 5)

Loading…