Under the new GDPR, businesses are called on to standardize how they handle personal data. It’s also an opportunity to get your systems and processes ahead of the next regulation.
GDPR—the European Union’s General Data Protection Regulation—will come into effect on May 25, 2018. While the fines—up to approximately $24 million or 4 percent of annual profit—are enough to make businesses take notice, the new regulations highlight a new way of handling security and privacy that will impact how all businesses process and manage personal data going forward.
Under GDPR, there are 99 articles that cover how personal data of EU citizens is handled. These apply to all instances of data, from production data to backups and all data shared with contractors. The regulation applies to any organization that processes or collects data from EU citizens—no matter where that organization is located.
It has been estimated that more than half of the companies affected will not be compliant by May 25 or even by year’s end.
Below are some best practices that can guide your GDPR compliance in the cloud and your broader security initiatives.
Understand Your Compliance Responsibility
Security doesn’t happen in a vacuum but depends on the cooperation of all the parties with whom you do business. Under GDPR, organizations and any third parties that process, store, or manage personal data on your behalf must be compliant. Both data controllers (who define how personal data is collected and why) and data processors (who process the personal data on the controller’s behalf) are bound by GDPR. For example, when a company uses the cloud to store personal data, they would be acting as the controller, while the cloud provider would typically be considered a processor. GDPR defines the responsibilities for each side.
Make sure your organization understands its compliance responsibilities and those of any third parties classified as data processors for your organization. AWS has publicly announced their compliance, while Google and Microsoft have announced plans to comply by the May 25 deadline.
Determine Your Scope of Compliance
Having a deep understanding of your storage solutions and data sets is crucial to determining your required scope of compliance. GDPR regulates that any information classified as personally identifiable—names, photos, email addresses, social media posts, health and medical information, internet cookies, IP addresses, and so forth—must be protected.
Start by reviewing the data that your organization currently stores to determine if this information is truly required for you to do business. Use GDPR compliance as an opportunity to remove data that is either outdated or unnecessary for operating your business. Identify which data stores are affected by GDPR, then refine your data collection processes and procedures to ensure that you’re storing only the data that is absolutely necessary.
Make Encryption Business as Usual
Last year’s high-profile data breaches left millions of articles of customer data exposed. Under GDPR, the legal and financial implications of a breach of personally identifiable information (PII) could be fatal for your business.
Data that is unencrypted can be read and seen by anyone who has access to it. The nature of the cloud means that data is no longer just on premises but hosted even in multiple locations. Therefore, it requires additional measures to keep it secure whether at rest or in transit.
While not mandatory under GDPR, encryption is one of the best methods that organizations can employ to protect data no matter where it is located.
In the cloud, there are a number of different encryption mechanisms that may be used across a multitude of different services. At-rest encryption can be implemented from server-side through to client-side, but you must also use encryption when the data is in transit. Some cloud services focus solely on encryption and may be closely integrated with other services, allowing you to enforce and meet the most stringent of data protection controls across your infrastructure.
Having an understanding of your encryption options and mechanisms, along with a sound understanding of the encryption keys and how they are protected and used, will enable you to maintain a strong level of data protection.
Once your data is encrypted, it’s important to enforce the correct level of permissions to allow ‘decrypt’ access to that data to only those who need it.
Get Proactive About Protecting Data
Under GDPR, compliance will not be a one-time effort but an ongoing process. Therefore, you’ll want to take a proactive approach to monitor and detection not only to prevent breaches by hackers or accidental exposures but also to ensure that any personal data that you are responsible for is being properly managed.
Cloud providers offer a variety of services that can do the heavy lifting when it comes to protecting data and alerting you to non-compliance within your environment:
- Monitoring and threat detection services can help you identify everything from security loopholes and changes in your environment to resources that are noncompliant, or brute force attacks against a resource. For example, being able to capture every API call made within your environment allows you to monitor for irregular trends or malicious activity, triggering additional controls that prevent the user from causing additional damage.
- Automated, real-time log analysis of key metrics and events triggered within your environment can reduce the effects of a potential breach and verify compliance.
- Machine learning based services such as Amazon Macie recognize PII in data and provide alerts so that users can ensure that they are in compliance.
- Intelligent threat detection services allow users to monitor their account for unusual and unexpected behavior by analyzing log data generated by their infrastructure. AWS’s GuardDuty service, for example, uses data generated from Virtual Private Cloud (VPC) flow logs, CloudTrail event logs, and Domain Name System (DNS) logs and assesses it against multiple security and threat detection feeds to look for anomalies and known malicious sources such as IP addresses and URLs.
Train for a Security-First Culture
Staying ahead of the next regulation or disruption requires technical excellence, collective experience, business context, and shared understanding. In a word, culture. Because security and GDPR will touch a much broader section of your business than just IT, you will need to prepare all internal stakeholders for the technology and business implications of a security-first culture.
Senior management should help drive change by ensuring that security is at the forefront of all corresponding methodologies, practices, processes, and procedures. Simultaneously, a clear plan for training and education must run in parallel, allowing employees to keep skills up to date and learn new technologies and techniques that they can apply to the evolving demands of the market and your business. If a business moves too fast without an adequate training plan to support its employees, privacy best practices can be overlooked, shortcuts may be made, and vulnerabilities will be quietly designed into solutions.
Building and maintaining a privacy program that is GDPR compliant takes hard work and doesn’t happen overnight. Challenge your teams to be comprehensive and thorough in the coming weeks. Remind teams that by taking a broader view of security and privacy, starting today, their organization will be far better off in both the short- and long-term.