On May 25, 2018, the GDPR will finally become enforceable.
But what does that mean for large enterprises? After all, data privacy laws and substantial breach fines are hardly a new phenomenon.
A great deal has changed since the current set of data protection laws and compliance frameworks were devised. As things stand, the EU is governed by legislation passed more than two decades ago, while the US has very little in the way of specific, formalized legal requirements. In both cases, the “rules” governing use and storage of sensitive data were written long before cloud technology revolutionized the way we do business.
Not only did cloud platforms like AWS, Azure, and VMWare not exist when the current set of data protection laws were passed, nobody had even considered the possibility of remote storage or the SaaS business model.
As a result, we live in a world where:
- Responsibility for collection, storage, and manipulation of sensitive data is routinely handed off to cloud platform/service providers
- Enterprises happily utilize dozens (sometimes hundreds) of cloud applications, spread across multiple environments, while agreeing to non-negotiable terms of service (ToS)
- In many cases, cloud services are enlisted without the supervision or knowledge of IT departments
- The physical storage location of sensitive data is often known only to cloud service providers
Perhaps most significant of all, none of these things are specifically regulated. But that’s about to change.
Three Big GDPR Challenges
According to a recent study the average European enterprise uses 608 cloud applications, and it seems reasonable to assume that US enterprises are in roughly the same position.
And there’s nothing wrong with that… except that often IT departments aren’t aware that most of those applications are being used. Creating or signing up for cloud applications has become so easy that individuals and teams within an organization can do so without ever involving (or informing) their IT service.
This phenomenon labeled “shadow IT,” already poses substantial data protection, security, and logistical problems for the average organization. And when the GDPR comes into force things are going to get a whole lot harder. Here’s why:
1) The Stakes are MUCH Higher
Did you think TalkTalk’s £400,000 fine was substantial? Well, if it had happened under the GDPR it would have been in the region of £59 million. Doesn’t look so bad now, does it?
Once the GDPR becomes enforceable, organizations found to have breached its terms can be fined up to 4% of annual global turnover or €20 million (whichever is higher). Even for less serious infringements, such as not having their records in order or failing to report a breach in time, organizations will be liable for up to 2% of annual global turnover.
Realistically, for many organizations, a judgment of this size would represent the financial death penalty.
2) Ignorance Isn’t an Option
Under the GDPR organizations will be required to keep accurate and detailed records. They’ll need to know precisely what data they hold, who it relates to, how it’s used, and where it’s stored.
As reasonable as that may seem, it’s going to pose huge problems for many organizations.
Even within cloud platforms like AWS, Azure, and VMWare it is extremely difficult to obtain a full picture of where and how cloud applications are being used. And in a world where any individual within your organization has the ability to start using new cloud services without ever seeking permission or guidance, gaining clarity into data usage becomes functionally impossible.
3) You Can’t Outsource Responsibility
In the past, organizations have been solely responsible for the data they held, irrespective of whether they retained it in-house or handed it off to third parties. Under the GDPR, however, a thorough set of responsibilities have been defined for both data controllers and data processors.
On one hand, this is fantastic news: Data processors must conform to strict GDPR requirements, or they are liable to be fined. At the very least, all of the major players in the cloud platform space can be reasonably expected to fulfill their duties in this area.
But (and this is crucial) that doesn’t mean you can simply hand off responsibility to a series of third parties, no matter how big they might be.
As a data controller, not only will you need to close a thorough data processing agreement with each cloud provider, you’ll also need to immediately stop working with any provider who can’t adequately demonstrate their ability to conform with GDPR requirements.
And if that’s not hard enough, here’s one more for you: You can’t simply assess a processor, sign an agreement, and move on. You’ll need to audit the processors you work with on a regular basis to ensure they continue to handle your data properly.
Managing the Unmanageable
Naturally, coping with these new requirements isn’t going to be easy. We’ve only covered some of the major GDPR requirements in this article, and taking care of them all is going to be a substantial undertaking.
What we can suggest, however, are two concepts that should be central to your GDPR planning: Resource ownership and an audit trail.
1) Ownership of application stacks and security groups
If you seriously plan to bring your organization into compliance with the GDPR, you’re first going to need to accept a simple truth: Central IT can’t control everything.
The number of applications used by an average large-scale enterprise is staggering, and by the time you factor in the additional complication of a multi- or hybrid-cloud strategy, there is just no way for a central team to control everything.
Instead, in order to bring everything in line with the GDPR, you’ll need to know precisely who is responsible for each cloud application, and ensure that each of these personnel are acutely aware of their upcoming responsibilities under the GDPR.
And it’s not just about application ownership. Security groups are renowned for being reused freely, but in a world where mistreating sensitive data can lead to financial armageddon we’re all going to need to be a bit stricter with ourselves. To that end, security groups should be assigned to individual owners, and risk assessments should be conducted before reusing them.
2) Audit and policy
As we’ve already noted, even if no breach ever occurs you can be fined simply for failing to have your records in order. For that reason, no matter how you choose to approach the security and hygiene of your data, a thorough set of GDPR compliant policies and a rigorous audit trail are going to be essential.
Not only must you know who is responsible for a cloud application, you also need to know precisely what data it holds, where that data is stored, and how it’s used. When each new application is developed, it must align with your GDPR compliant policies on instance size, storage, networking, etc.
This might all sound tedious, but it’s essential in a post-GDPR world.
Right now, organizations all over the world are in panic mode. The GDPR is about to go live, and many organizations are simply not ready.
And you know what? That’s not a surprise. Hybrid- and multi-cloud environments can be hugely complex, and just getting to the bottom of who owns which application can seem insurmountable.
This is where cloud management platforms (CMPs) can be tremendously valuable. Using a CMP, an organization can keep track of all cloud application usage, as well as assigning and monitoring ownership of application stacks and security groups. At the same time, CMPs maintain thorough activity logs and audit trails, giving a much greater level of visibility into where data is stored and how it’s used.
To find out how Scalr’s Hybrid Cloud Management Platform can help you get your house in order before the GDPR hits, learn more about how Scalr helps enterprises enforce security and compliance standards at scale or click here to arrange a demo.