prospect of legal activity arising from failure to comply with the General Data Protection Regulation (GDPR) is now very real for many small-to-medium-sized businesses.
The European Union’s landmark set of regulations comes into force next May, making it imperative that any organisation storing or processing customer data in the cloud needs to demonstrate what it has done to achieve compliance.
The alternative course could potentially lead to exposure by European Citizens (and their lawyers) exercising their rights to see whether personal data is being handled in compliance with the new regulation. Since so many organisations hoard data in the hope that one day some value can be extracted from it, the dangers are substantial.
It is easy to get it wrong
It is incredibly easy to fall foul of the new rules. Few realise, for example, that the CV of an unsuccessful job applicant should be deleted if no explicit consent for the file’s retention is obtained. This is because the data is no longer relevant under the terms of the GDPR.
Many businesses have also failed to install a suitable mechanism for answering subject requests about data, in some case sending out masses of data unnecessarily. And relying on cyber risk insurance for protection is likely to be futile, given the potentially immense costs of a GDPR breach, which include penalties of up to four per cent of global turnover, along with the financial drain of having to compensate affected individuals.
What an organization can do to comply
There are, however, some simple steps a business can take to protect itself especially if it is entrusting substantial amounts of personally identifiable data to the cloud in order to run its applications.
For a start, organisations should insist on full compliance with the already-existing standards that cover the cloud, even they are not specific to it. These include ISO27001, PCI compliance and Sarbanes-Oxley Act compliance (or SOX). They should also insist on those specifically related to the cloud, such as CSA STAR.
Yet this is only a start, because full GDPR-compliance requires considerably more. A cloud provider must, for example, be able to work to a legal contract defining the restrictions around the key Data Controller and Processor relationship concepts of the new regulation.
Unfortunately, many organisations enjoying the benefits of the cloud do not fully understand how much of its resources they are consuming, either from SaaS solutions or from their gradual accumulation of IT and dev-ops initiatives. In the age of the GDPR this is a reckless position to be in.
This is where the hands-on advice of experts such as Calligo is essential, establishing what is compliant so that processes and workflows can be adapted accordingly, using the applications and technologies that are available. For a mid-tier business, this is no small task, but it is perfectly achievable because Calligo has unmatched expertise in GDPR compliance and an understanding of how to apply best-practice standards in everyday contexts.
Greater urgency required over compliance
As more and more tech companies embrace subscription-style services in the cloud, the need to act in compliance with the regulation becomes ever more urgent. The GDPR demands that organisations have far better understanding and supervision of their cloud footprint (and indeed their private infrastructures and data-sets).
While there is no single, magic tool that will sort out compliance for an organisation, businesses must master data governance now and build in a privacy-by-design approach to their cloud use.
With Calligo’s guidance, a business will not have to worry about how it can demonstrate to regulators that it has taken all reasonable steps and implemented the appropriate technological advances, as GDPR requires.
It is not just a question of living in fear of hungry lawyers or super-vigilant regulators either. The cost and efficiency benefits of having better data stewardship enhance overall business effectiveness immensely. Actively taking steps to achieve GDPR compliance through the best data governance available gives any business a real competitive edge.
Unfortunately, many organisations enjoying the benefits of the cloud do not fully understand how much of its resources they are consuming, either from SaaS solutions or from their gradual accumulation of IT and dev-ops initiatives. In the age of the GDPR this is a reckless position to be in.
This is where the hands-on advice of experts such as Calligo is essential, establishing what is compliant so that processes and workflows can be adapted accordingly, using the applications and technologies that are available. For a mid-tier business, this is no small task, but it is perfectly achievable, because Calligo has unmatched expertise in GDPR compliance and an understanding of how to apply best-practice standards in everyday contexts.