GDPR, the Cloud and Your Customer’s Data

Plenty has already been written about the EU’s General Data Protection Regulation (GDPR), which comes in to force in the UK in May next year. If you need a refresher on the overall regulatory framework, then the Information Commissioner’s Office is a good place to start.

No-one relishes the prospect of new regulation, but the existing rules were designed and implemented before cloud computing was a thing. So it’s uncontroversial that an overhaul is needed to regulate the huge volumes of data that now routinely pass between organisations and across borders thanks to the rapid growth of cloud adoption over the last ten years.

What’s more, as a cloud security specialist, I’m struck by how closely the requirements for GDPR compliance reflect security best practice for hybrid cloud deployments. Looked at this way, the new rules can be seen as an opportunity rather than a burden, spurring on the enterprise to clean house and adopt a security strategy that’s fit for purpose in the cloud era.  

GDPR and CSPs

Cloud security requires a conceptual rethink, shifting away from the old perimeter-based approach and towards a more dynamic, workload-centric approach. Key to this is an understanding that security is a now shared responsibility between the Cloud Service Provider and the customer organisation – a reality that’s reflected in the structure of GDPR.

Under the outgoing Data Protection Act, compliance was a matter purely for the “Controller” of personal data – usually the organisation responsible for deciding what data was being collected and held, and why. Under GDPR, CSPs will be categorised as data “Processors”, and will need to meet comparable compliance standards as Controllers.

While both parties will be equally liable for breaches of the regulations, there will be an obligation on businesses, as the controllers, to assess whether the security measures of their CSP (the Processor) meet the required standard. To do this, they will have to conduct periodic audits. CSPs that contract out services to sub-providers will have to ensure the same level of compliance in their contractors.

A robust and comprehensive cloud security solution will already have compliance baked in, integrating the security tools native to cloud platforms like Azure and AWS with the customer organisation’s own solutions, and presenting it all via a single pane of glass to provide full visibility of security across physical, virtual and cloud deployments.  

The Cost Of Non-Compliance

As well as placing tighter and more explicit controls around the storage and management of personal data, GDPR also mandates a greater degree of transparency, placing a legal obligation on all organisations to report certain types of data breach to their in-country regulatory agency within 72 hours of discovery, advising the nature of the breach, the categories and approximate number of individuals and personal data records concerned, likely consequences and so on.

In serious cases, where the rights and freedoms of individuals are put at risk, the organisation is obliged to contact all affected individuals directly. And in the most serious cases, the organisation may also be required to notify the public without delay.

Failure to report data breaches within 72 hours can result in heavy fines of up to 10 million Euros or 2 per cent of global turnover, whichever is the greater, providing a powerful incentive for even the largest, wealthiest enterprises to take compliance seriously.

For many large organisations, operating hybrid cloud architectures with disparate legacy security solutions, 72 hours simply won’t be enough time. Often, breaches aren’t discovered until weeks, months or even years later. In any event, it’s extremely rare that an organisation will have a complete view of the scale and nature of the breach within 72 hours, and while GDPR does acknowledge this fact, and allow information to be provided in phases, this is not an acceptable level of risk in the long term. 

This is what has been driving the high levels of interest in cloud security platforms in recent times. For organisations handling the largest volumes of data, and with the most diverse and complex workload deployments, there is now even greater impetus to adopt a cloud-first security posture, providing the ability to monitor not just malicious activity but inadvertent errors – across platforms and environments in real time. Such an approach could save a great deal more than inconvenience and reputational damage. 

The Benefits of Compliance

The business benefits of a robust, scalable and transparent solution are commensurate with the benefits offered by cloud computing in general – reduced costs, increased agility, flexibility and efficiency.

With the imminent introduction of GDPR, and the hefty price of non-compliance, there is a significant new incentive to invest in a security solution that’s designed from the ground up to manage the shared responsibility – and compliance – demanded by the cloud computing model.

As digital transformation progresses, and people become more security-conscious about their personal data, there will be more regulations like GDPR. Trust and transparency will become increasingly important in the design and delivery of new products and services.

Which is why, as the leading provider of server security for physical, virtual, and cloud environments, Trend Micro is so well placed to help customers turn the burden of GDPR compliance into an opportunity for real competitive advantage.

For those wanting a little bit more information about security on AWS we’ve put together a short and engaging video which you can watch here.

Have I identified the salient points about GDPR? What are your main challenges in preparing for it? I’d love to hear from you.  Join the discussion…