ONLY 34.5 % OF NEARLY 500 PROFESSIONALS INVOLVED IN GDPR COMPLIANCE EFFORTS SAY THEIR ORGANISATIONS CAN DEMONSTRATE COMPLIANCE WITH THE NEW DATA PRIVACY RULES .
CIO CIOopinion OPINION
Data heads into the limelight
“ The GDPR imposes the principle of ‘ privacy by design ’ on IT environments , thereby bringing data protection and security to the fore . Under the GDPR , any company that processes sensitive customer data becomes a ‘ contract data processor ’. Once this happens , the company has a number of requirements imposed on them that must be fulfilled in order to comply with the regulation . These include :
1 . The need to obtain customer consent to process their personal data
2 . The need to provide customers full visibility of how their data is being used 3 . The duty to report data breaches
“
ONLY 34.5 % OF NEARLY 500 PROFESSIONALS INVOLVED IN GDPR COMPLIANCE EFFORTS SAY THEIR ORGANISATIONS CAN DEMONSTRATE COMPLIANCE WITH THE NEW DATA PRIVACY RULES .
of data protection is in place . If this duty is neglected , the company in question can be held partly responsible if the CSP is breached . the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons .’ ( Art . 33 ( 1 ))
“ Importantly , if a breach occurs , companies must notify affected customers immediately and report the incident to the supervisory authorities within 72 hours . Hefty fines can be imposed if notification is not carried out within the specified period or to the required extent . Depending on the circumstances , the penalty can amount to up to 2 % of global turnover in the previous year , or a maximum of € 10 million ( GDPR Article 83 ( 4 )).
A new duty of care under the GDPR
“ Companies need to take the time to carefully understand their new responsibilities . Until now , it has been common practice to burden all data security responsibilities on cloud service providers ( CSPs ). However , the GDPR is implementing measures that put a stop to this behaviour .
“ Under GDPR , companies have a responsibility to ensure that the CSPs they use have adequate data processing procedures in place to make them compliant , not just take their word for it . The EU has attempted to make this easier by issuing certificates for CSPs . However , these certifications have raised difficulties for reasons such as :
• There are no uniform European standards
• Certification is completely voluntary
• Quality seals currently used by CSPs are not adequate to meet GDPR compliance
“ As such , even if a CSP has a quality seal , any company wishing to work with it must still take the time to ensure a satisfactory level
“ For many organisations , this means they must carefully examine their CSP ’ s data procedures to confirm compliance with GDPR AND implement regular audits to ensure it ’ s maintained . The first step of this will likely already stretch many organisations to their limits . But even with all of this complete , in theory it ’ s still possible for a CSP to be hacked without anyone ever noticing , permanently leaving cloud users operating with a level of uncertainty .
Data encryption : A silver bullet for GDPR compliance
“ As the above shows , it ’ s no simple feat to use cloud services and maintain complete control over your data . However , the GDPR has an answer to this , as set out in Article 34 ( 3 )( a ):
‘ The communication to the data subject […] shall not be required if […] the controller has implemented appropriate technical and organisational protection measures and those measures were applied to the personal data affected by the personal data breach , in particular those that render the personal data unintelligible to any person who is not authorised to access it , such as encryption […].’
“ Put simply , this means companies will not have to notify customers about breaches if their data has been encrypted strongly enough to make it useless to malicious parties . Under the GDPR , this situation would not count as a notifiable loss of data . Furthermore , it is not necessary to inform the supervisory authority if it ’ s clear that ‘[…]
“ For encryption , the highest standard available must be used . Currently , this is Advanced Encryption Standard AES-256 , which utilises 256-bit keys to encrypt data . An initialisation vector ensures that a new , random key is generated for each encryption process . To permanently ensure sufficient randomness in a large volume of data , the initialisation vector should be of the same length as the key – i . e . 256 bits .
“ Applications that encrypt data should also give companies control of the encryption keys , ensuring that only the company has access to the encrypted data . Furthermore , to avoid the ever-present possibility of an insider leak , access rights should be given only to a small group of trained and trusted employees . Doing so will maximise the security of company data whenever in transit , at rest , or in use .
“ For companies in this position , the next step is to ascertain the location of any subcontractors used by their CSP . If customer data is being sent to non-EU countries by the CSP , consent about the use of this data must be obtained . If so , companies can rest easy about GDPR knowing they have fulfilled their required duties .
“ The GDPR deadline has passed and for the many organisations that have embraced the cloud , there is still a lot of work to do particularly where CSP partners are concerned . Adopting robust data encryption ensures sensitive customer and company data is protected at all times , regardless of where it is . •
www . intelligentcio . com INTELLIGENTCIO 53