Article by: Steve Armstrong, Regional Director UK, Ireland & South Africa at Bitglass
The vast majority of business enterprises are now using cloud services in some form, swayed by the promise of more efficient IT processes and the long-term cost benefits on offer. However, with the EU’s General Data Protection Regulation (GDPR) now in play, enthusiasm for the use of cloud applications could be somewhat dampened.
Data heads into the limelight
The GDPR imposes the principle of ‘privacy by design’ on IT environments, thereby bringing data protection and security to the fore. Under the GDPR, any company that processes sensitive customer data becomes a ‘contract data processor’. Once this happens, the company has a number of requirements imposed on them that must be fulfilled in order to comply with the regulation. These include:
1. The need to obtain customer consent to process their personal data
2. The need to provide customers full visibility of how their data is being used
3. The duty to report data breaches
Importantly, if a breach occurs, companies must notify affected customers immediately and report the incident to the supervisory authorities within 72 hours. Hefty fines can be imposed if notification is not carried out within the specified period or to the required extent. Depending on the circumstances, the penalty can amount to up to 2% of global turnover in the previous year, or a maximum of €10 million (GDPR Article 83(4)).
A new duty of care under the GDPR
Companies need to take the time to carefully understand their new responsibilities. Until now, it has been common practice to burden all data security responsibilities on cloud service providers (CSPs). However, the GDPR is implementing measures that put a stop to this behaviour.
Under GDPR, companies have a responsibility to ensure that the CSPs they use have adequate data processing procedures in place to make them compliant, not just take their word for it. The EU has attempted to make this easier by issuing certificates for CSPs. However, these certifications have raised difficulties for reasons such as:
- There are no uniform European standards
- Certification is completely voluntary
- Quality seals currently used by CSPs are not adequate to meet GDPR compliance
As such, even if a CSP has a quality seal, any company wishing to work with it must still take the time to ensure a satisfactory level of data protection is in place. If this duty is neglected, the company in question can be held partly responsible if the CSP is breached.
For many organisations, this means they must carefully examine their CSP’s data procedures to confirm compliance with GDPR AND implement regular audits to ensure it’s maintained. The first step of this will likely already stretch many organisations to their limits. But even with all of this complete, in theory it’s still possible for a CSP to be hacked without anyone ever noticing, permanently leaving cloud users operating with a level of uncertainty.
Data encryption: A silver bullet for GDPR compliance
As the above shows, it’s no simple feat to use cloud services and maintain complete control over your data. However, the GDPR has an answer to this, as set out in Article 34(3)(a):
‘The communication to the data subject […] shall not be required if […] the controller has implemented appropriate technical and organisational protection measures and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption […].’
Put simply, this means companies will not have to notify customers about breaches if their data has been encrypted strongly enough to make it useless to malicious parties. Under the GDPR, this situation would not count as a notifiable loss of data. Furthermore, it is not necessary to inform the supervisory authority if it’s clear that ‘[…] the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.’ (Art. 33(1))
For encryption, the highest standard available must be used. Currently, this is Advanced Encryption Standard AES-256, which utilises 256-bit keys to encrypt data. An initialisation vector ensures that a new, random key is generated for each encryption process. To permanently ensure sufficient randomness in a large volume of data, the initialisation vector should be of the same length as the key – i.e. 256 bits.
Applications that encrypt data should also give companies control of the encryption keys, ensuring that only the company has access to the encrypted data. Furthermore, to avoid the ever-present possibility of an insider leak, access rights should be given only to a small group of trained and trusted employees. Doing so will maximise the security of company data whenever in transit, at rest, or in use.
For companies in this position, the next step is to ascertain the location of any subcontractors used by their CSP. If customer data is being sent to non-EU countries by the CSP, consent about the use of this data must be obtained. If so, companies can rest easy about GDPR knowing they have fulfilled their required duties.
The GDPR deadline has passed and for the many organisations that have embraced the cloud, there is still a lot of work to do particularly where CSP partners are concerned. Adopting robust data encryption ensures sensitive customer and company data is protected at all times, regardless of where it is.