12 Jul The Cloud vs GDPR
There has been a lot of buzz, advice and content flying around about the new data protection regulation, GDPR, coming next month.
However, there’s something that’s been missing from the conversation, though, and that’s how to handle the vast array of cloud platforms we use today. You know, like Salesforce, Concur, Expensify, Workday, SuccessFactors, Box, Dropbox, WeTransfer, and many more. The apps your business increasingly depends upon, and that an increasing number of people and lines of business are going out and procuring without any help (or oversight!) from IT.
According to our latest Netskope Cloud Report, the average European enterprise is using 608 cloud apps. Despite increased awareness on this often secret part of IT over the last year or so, organisations underestimate this figure by about 90 percent. This is shadow IT in a nutshell, and of course, raises the question of how cloud-consuming organisations can ever hope to comply with the GDPR if they don’t know 90 percent of the apps people are using.
There are some key steps to consider around your cloud application use, when looking at your GDPR compliance:
- Location, location, location – Often providers of cloud applications will not readily have information on where they actually store your data. Note that their office locations are usually not the same location of the data centres either. Some providers, such as Microsoft, operate data centres within various parts of the globe to provide a ‘local’ base for clients in the region. Within the EU their data centres are in Dublin and Amsterdam, with London recently added to that list. We understand Germany is not far behind too. Be warned though, many US firms will only store their data in the US and provide no option for operation elsewhere, however this isn’t always necessarily the end-of-the-road. You will have to check what data you store outside the EU and document that appropriately.
- Data loss – You need to know which apps meet your security standards, and either block or initiate controls for ones that don’t.
- Data processing agreement – Once you discover all of the apps in use within your organisation, sanction those that you wish to be in use going forward, and develop a data processing agreement with them. This ensures that they will adhere to the data privacy protection requirements you are bound by within GDPR.
- Collect only ‘necessary’ data – Specify in your data processing agreement, (and all other relevant internal policies), that only data needed to perform the app’s specific function are collected by / entered into the app, and nothing more. Three are limits on the collection of ‘special’ data, which are defined as those describing data such as, race, ethnicity, political interest, religion, sexuality, etc.
- Don’t let them use it for their benefit – Ensure, through your data processing agreement, as well as verify in your due diligence with applications, that they state clearly in their terms that you, (as the customer), are the data owner and that they do not share data with third parties.
- Erasure – Many cloud apps, Google being one, will retain your data beyond the deletion of your account. You want to make sure that any cloud application in use within your organisation has terms that state something along the lines of, “You can download your own data immediately, and upon deleting any data, or upon termination of your service, all of your data will be deleted immediately”.
Are you in the market for a cloud service? Already outsource and thinking of changing your cloud partner? We can help…
Our team is formed of individuals with front-line experience working in the IT industry and we now use our position to offer free-of-charge tech advice to businesses.
When you’re ready to go to market; Wingman operates a price comparison style service, where we vet providers of IT Support & Managed Services and link them with UK businesses that have an active need.
We can discuss your requirements, offer potential solutions and then link-you with our vetted Partners who offer no-obligation proposals & consultancy around your project or service requirement.