Cloud computing may come with plenty of benefits, but it also comes with plenty of security and privacy concerns. These include potential data breaches from vulnerabilities, malicious insiders, BYOD and third-party apps and APIs. Risks also crop up from the lack of established industry standards among cloud providers as well as the lack of uniform regulations across the European continent.
That may all change if the new EU General Data Protection Regulation (GDPR) requirements are implemented. Negotiations will re-start this month to consolidate all the EU-member nations data protection regulations into a single EU law. A recent Sophos study found 84 percent of cloud end-users agreed Europe needed stronger data protection laws, other research discovered that only 1 in 100 cloud providers are ready to embrace the new EU regulations.
New Regulation Impact and How to Prepare
The GDPR sets uniform standards across all of Europe instead of letting countries pick and choose which directives they want to follow. Non-compliance can net fines as high as €100m or 5 percent of your global turnover, whichever is higher. The overall aim is to enhance cloud security and protect cloud users, and the impact is expected to be huge.
For starters, liability for data breaches will now be shared by data controllers, or companies that own the data, as well as data processors, or cloud providers or hosting companies that manage the data. That means data controllers need to ensure the providers they choose are following the new regulations before they even sign on.
That also means cloud providers are required to disclose how their data processing is conducted and what security measures they use — information that’s typically been held close to the chest. And that’s just the beginning. The new regulations also require:
- Consent to collect data from individuals who “opt-in,” and making it easy for individuals to “opt-out”
- The “Right to Erasure” which deletes all customer data at the customer’s request
- Subjects receive a copy of their personal data upon request
- An annual risk analysis that outlines risks as well as steps taken to correct them
- Each country establish a Single Data Protection Authority
- Appointment of a Data Protection Officer for organizations that process more than 5,000 data subjects
- Full documentation of any breach, along with immediate notification of that breach to the proper authority
Additional requirements come with additional administrative burdens. When contracts are terminated, providers must hand over all data to the data controllers. Providers must obtain permission from the client before enlisting any third-party services. One more requirement is ensuring the appropriate Data Protection Supervisory Authority and the data controller have all the info they need to ensure compliance.
Instead of a one-size-fits-all approach to securing data, cloud providers will be required to customize security levels to match the nature of the personal data being processed. More critical data will thus be likely to receive more stringent protection.
How PerfectCloud Can Help
Enhanced cloud privacy and security is the aim of the new GDPR, and it’s also the overall benefit of PerfectCloud. Our advanced cloud security solution protects both data controllers as well as data processors by encrypting all data, a move that ensures your company can’t be held liable even if IT systems are breached. Additional protection comes from our strong key management and our zero-knowledge, token-less patented security architecture. You control it all from a single dashboard. And yes, we’re compliant with current EU directives – and will continue to comply when the new EU regulations go into effect.