I’m using the public cloud, should I care about GDPR?

If you’re in IT or information security, and are wondering what GDPR is, welcome back from outer space!

GDPR is the new regulation passed by the European Union (EU) parliament to fortify data protection for all individuals within the EU. It has been the talk of the town over the past year because GDPR will come into effect starting May 25th, 2018. Here’s the kicker, you had two years to prepare yourself and your organizations to comply with this regulation. GDPR is meant to protect the privacy and personal data of end users and is less about cybersecurity and hacking.

For instance, it doesn’t tell you how to secure your assets and the data they contain but provides guidance around how organizations need to protect the privacy of users, make users aware of and consent to the data being collected about them, and make it easy to delete their personal data upon request.

A common question that organizations have is whether or not GDPR applies to them. If your organization is established in the EU, or serves EU customers, and stores or processes their data, then GDPR applies to you. I’ve also heard customers running workloads in the public cloud say that because their cloud provider is GDPR compliant, they are covered. This is a misconception that can cost you dearly.

The shared responsibility model puts the responsibility of managing data privacy and usage squarely in the domain of the customers. While the leading cloud providers offer data protection capabilities such as encryption and access control, organizations still need to use these controls to manage data privacy effectively.

You have to get ready now and get your cloud infrastructure ready too. GDPR does not offer a manual for compliance, only general guidelines. These are written in legal terms as opposed to technological ones, making it challenging to know what exactly needs to be done in order to be compliant. Here’s just one example (section 1 out of article 25 talking about data protection by design and by default):

Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall […] implement appropriate technical and organizational measures […] in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

What are appropriate measures? What is an effective manner? And who decides what are necessary safeguards? This is open to interpretation, preferably by a lawyer who understands this kind of English.

GDPR regulation differs between the “controller” and the “processor” of the data, and their responsibilities in keeping the confidentiality and integrity of the private data. As a business owner, you (or someone on your behalf) are the data controller. You need to know what kind of data you have in your possession and why; where and how is it stored; how is it processed and also be able to prove your compliance. The processor can be the cloud provider, who does the processing on behalf of the controller. The processing must meet the regulation requirements and be able to prove that. Both processor and controller hold responsibility for GDPR compliance, but according to article 24, it is the controller’s responsibility to choose a processor that can prove and demonstrate their compliance.

In order for you to be GDPR compliant, you need a custom-made solution. There’s no one-size-fits-all. The solution that’s right for you has a lot to do with your personal infrastructure, the service that you give, the kind of data you work with, etc.  Nevertheless, here are some practical things you should be doing right away:

Access restrictions

Establish access to data on a need-to-know / need-to-access basis. If you are dealing with personal and private data, hackers might take advantage of it, or try to steal other people’s credentials to get access to it. Prevent this from happening by restricting access. This is the basic security concept of Principle of Least Privilege

Encryption

Treat the private data in your possession like crown jewels. Make sure it is safe. Even if your system is design to restrict access to the data, there’s no 100 percent guarantee in security. Keeping the data encrypted and having the keys kept in a safe place will give you another layer of security. This is the concept of Security by Design

Monitoring and logging

You should be able to know what’s going on in your environment at all times. When looking at GDPR and the need to prove your compliance and best efforts, keeping track on all events and being able to query backwards is very important

Minimal footprint

Delete and stop saving all data that is not necessary for you to do your work. We love data and love making the most out of it, but in this case excessive data is more responsibility and potentially more headache.

Know exactly what kind of data you keep, and where you keep it

In case of an audit, or worse, in case of a security incident, you need to know what assets you have and where they are kept. That way you can manage your risks better and respond quickly.

Prevention + detection

When planning compliance, you always prepare for the worst. The assumption should be that a security breach is only a matter of time. Therefore, in order to minimize the risk, try to spot the breach as early as possible.

For all the ambiguity around what data protection measures are required, the penalties associated with a lack of compliance with GDPR are painfully clear. Getting caught unprepared can cost you a lot of money! Penalties can vary from two percent of global gross revenue or €10M (whichever is higher), to four percent or €20M, depending on the type of violation. An event like the Uber breach that occurred in 2016, but was disclosed only last November, would have cost them heavily if GDPR was applicable at the time. Not only did Uber fail to keep its users’ data safe, but they also failed to inform the authorities within 72 hours, as GDPR requires. The new regulation has lot of bite, and it is time to get prepared.

Although reading the GDPR articles can leave you with more questions than answers, remember that its intention is to keep users’ private data, private. When designing your security, use common sense and established principles, and make your best effort to respect the privacy of the data you were allowed to save. Best practices like the ones I’ve mentioned here and in previous posts are a good starting point as you make your way towards GDPR compliance. Good luck!