Boiled down to its very basic elements, complying with the GDPR is all about controlling your data. In order to control data, it is essential to have proper visibility of your data – what you hold, where it resides, where and how it travels, and how it’s protected. Conducting a full audit of an organization’s data is always a very involved process. We all know data volumes are growing exponentially, but perhaps less visible is the use of different cloud services in any modern business. Cloud services are present in every modern workplace, making personal data even more difficult to track and control.
The first stage of any audit needs to uncover the cloud services in use within an organization – both sanctioned and unsanctioned. The latest Netskope Cloud Report (February 2018) found that organizations use an average of 1,181 cloud services. That’s a lot of data being uploaded, shared and stored in a huge number of cloud services, and it requires further assessment to determine whether that data would be defined as “sensitive” in the provisions of the GDPR.
An audit provides a comprehensive list of what cloud services are in use, enabling organizations to know which services they are dependent upon for their own GDPR compliance. A good CASB (cloud access security broker) will offer solutions which can compile a GDPR readiness assessment, scoring each cloud service on a number of criteria weighted in importance.
Pertinent questions used to build the GDPR readiness score for each cloud service include what the level of encryption of data at rest is; who owns the keys; what data center certifications are present; and whether the service shares PII with third parties. With all questions answered, the tool presents a rating for the service in question.
The results are usually eye-opening. We have spoken to companies which have found personal data shared in publicly-accessible links, sensitive client data shared with external parties before it was supposed to be, and more besides.
Visibility is just the first step, however. A good CASB will also show whether or not your organization has a data processing agreement (DPA) in place with the cloud service in question. This is mandatory under the GDPR, and companies will need to be able to demonstrate to the regulator that this box has been ticked.
For services where a DPA is missing, the readiness assessment from the CASB should also examine everything being transmitted to each cloud service, checking for data classed as PII under the terms of the GDPR.
If sensitive data are being transmitted in breach of the regulation, your CASB platform can then step in to block this data to avoid a breach of compliance. Blocking is usually the start of a user’s journey to "work around” restrictions, so you’ll ideally want the CASB to automatically provide the user with information about an appropriate, sanctioned service to use, which will enable them to accomplish their task without putting data at risk. This provides organizations with preventative control over their data.
Next, a company will want to know about data residency – i.e. where the data stored or transmitted in cloud services actually resides in geographic terms. The user might be inside the EU, but the cloud service in question might be hosted outside of the EU. Is this a problem? Not necessarily. There’s no provision in the GDPR which states that companies can’t store data in services based outside of the Union, but if they do so, they have to guarantee that the vendor is compliant with the GDPR.
With those stages of the audit complete, the company in question will be in a much better position to assess what else needs to be done to achieve GDPR compliance.
Both cloud vendors and cloud-consuming organizations must recognise the wide-ranging and significant ramifications of the GDPR on data control and protection. IT departments need to assess their data and processes now to ensure that they can keep data in check and not risk penalties for non-compliance in 2018. As the deadline looms, building a true picture of the use of cloud service via a thorough audit is a great place to start.
Discover and monitor every single cloud application used by employees across the business;
Know what personally identifiable information (PII) is being processed in the cloud by employees. Is this data defined as “sensitive” under the GDPR?
Secure data. Conduct a GDPR readiness assessment and use it to check that you have a DPA in place with all cloud services in use by the business and its employees. Set and activate policies which ensure staff are not using unmanaged cloud services to process and store PII.
Kristina Vervoort is currently the Regional Sales Director for the DACH region for Netskope, the leader in cloud security. Prior to her role with Netskope, Vervoort led sales for all security products at Cisco in the DACH region. She studied at the University of Passau and currently resides in Dusseldorf, Germany. For more information on Netskope, visit www.netskope.com.
Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not reflect the view of the publisher, eco – Association of the Internet Industry.