(c)iStock.com/Creative-idea
After months of fine tuning and approvals from various bodies, the EU General Data Protection Regulation (GDPR) is almost upon us.
When the GDPR finally becomes law in spring of this year after passing a final stage of approval, organisations will have two years to comply with the regulation. Two years might seem plenty of time, but the complex picture of cloud use in modern enterprises means that GDPR compliance will be a challenge. A recent Netskope and YouGov survey found that almost 80% of IT pros in medium and large companies are not confident of ensuring compliance with the regulation in time for the expected deadline of spring 2018.
Enterprise cloud app use is a significant potential stumbling block for organisations seeking GDPR compliance, not least because cloud apps create unstructured data which is more difficult to manage but still explicitly included in the regulation. The survey found that almost a third of IT pros admit to knowing unauthorised cloud apps are in use within the organisation, but only 7% have a solution in place to deal with this phenomenon – also known as shadow IT.
Cloud app use provides such huge productivity gains that blocking apps isn’t an option. Companies must discover how to continue using cloud apps while ensuring protection of structured and unstructured data, both in-transit and at-rest. So how can organisations ensure compliance and continue using cloud apps?
The GDPR requires organisations actively to take measures to protect the data they hold. They won’t comply with the GDPR only through legal arrangements like policies, protocols and contracts. Rather, companies must take deliberate organisational and technical measures to ensure data protection and compliance in all areas. This is known as data protection by design, and goes beyond traditional security measures aimed at confidentiality, integrity and availability of the data.
Controlling and securing data in cloud apps will be central to GDPR compliance, so managing an organisation’s interactions with the cloud is a good place to start. This can be achieved by:
- Discovering and monitoringall cloud applications in use by employees
- Knowing which personal data are processed in the cloud by employees – for example, customer information such as name, address, bank details, or other forms of personally identifiable information (PII)
- Securing data by setting up policies which ensure that unmanaged cloud services are not being used to store and process PII. The policy should be granular enough to stop the unwanted behaviour while allowing compliant use of the cloud to continue
- Coaching users to adopt the services you sanction
- Using a cloud access security brokerto assess the enterprise-readiness of all cloud apps and cloud services to ensure that all data are protected when in transit or at rest
The complications arising from the use of cloud and shadow IT mean that personal data is harder to track and control than ever before. The GDPR will have significant and wide-ranging consequences for both cloud-consuming organisations and cloud vendors, and security teams will need to make the most of the two-year grace period before penalties for non-compliance come into force. Examining an organisation’s cloud app use is a great place to start.