The European Union’s General Data Protection Regulation (GDPR) is took hold on May 25Opens a new window and all companies, regardless of whether they are based in the EU or not, face the potential of stiff fines – in theory up to 4% of worldwide turnover – if they fail to comply with the requirements of the legislation.
The GDPR has been drawn up to harmonize data privacy laws across Europe and protect the privacy rights of residents of EU countries. It is also intended to change the way companies and other organizations manage the data of private individualsOpens a new window – many will need to adopt a new approach to their data storage and hybrid cloud solutions could be the key.
GDPR: Risk of Inadvertent Breaches
From a technical perspective, the cloud services that are now widely used by enterprises to store data will still be subject to GDPR enforcement. US companies face the prospect of financial penalties if they manage the data of EU residents incorrectly – even, for example, by inadvertently moving the data to a server in another country.
The penalties for breaching GDPR data compliance regulations are potentially onerous, at up to €20 million or 4% of global revenue, whichever is higher. However, many organizations either remain unaware of their obligations under the legislation or are struggling to achieve compliance. In many cases they are still using legacy applications or off-site arrangements that are no longer adequate to meet the new requirements.
However, a hybrid cloud computing solutionOpens a new window can enable an enterprise to mitigate these risks, for example by storing less sensitive data in the cloud while keeping data governed by GDPR stipulations on the premises.
“Cloud storage has seen a tremendous increase in adoption, but few are aware of the additional governance concerns and potential risks involved with the residency and sovereignty of that data,†says Steven Lamb, CEO of multi-site data management company ioFABRIC.
The Hybrid Cloud Response to GDPR
Adopting a hybrid cloud approach is the best ways to plan for GDPR compliance, and it can be implemented using a data governance plan that will map out how and where the company plans to store data. Keeping sensitive data on-premises provides firms with much more control over how it is used and where it is located.
Hybrid cloud infrastructures can turn existing storage structures into an on-premises private cloud, delivering a storage-as-a-service model. It connects local storage with public storage, usually managed by a third-party data management platform. Policies can be set to ensure compliance with GDPR, for example by specifying locations where data is not permitted to reside, and tailoring data migration and protection rules accordingly.
Once the hybrid cloud solution is in place, it can be further configured in order to maintain compliance in the event that new legislation is adopted that alters the rules governing use and storage of personal data.
Managing Hybrid Cloud Apps
Part of the challenge of GDPR compliance lies in achieving a proper appreciation of how many cloud storage platforms and apps an enterprise is using. It is difficult to assess the potential liability of the business when the IT department is prone to underestimate its total exposure to the cloud, including use of various cloud apps by employees who may inadvertently be storing client data there.
Policing a company’s cloud usage begins with having an accurate inventory of all the apps the organization is using and where those apps are storing the data.
Data security is also going to be an important consideration under the GDPR. Therefore, the compliance exercise represents an opportunity to sift through apps and assess their security standards. Products such as the Cloud Confidence IndexOpens a new window compiled by hybrid cloud access security specialist Netskope can be a useful way to evaluate which apps will meet the security standards that the European legislation will demand.
Enterprises will need to put in place a data processing agreement to ensure that their hybrid cloud providers will be compliant with the GDPR. The most important aspect of this agreement is to ensure that cloud providers are extracting and storing off-site only such data as is essential data, and that there is full understanding and clarity between client and provider about which GDPR-sensitive data is to be left with the company’s on-site servers.
Any agreement with hybrid cloud providers will also need to set out how the personal data of EU nationals is being managed and stipulate explicitly that this data not only may not be shared with third parties but will be deleted once the hybrid cloud agreement is terminated.
Companies should bear in mind that deletion of data should be carried out as quickly as possible under the terms of a data processing agreement. It is anticipated that some cloud storage solutions may risk being caught out by the GDPR strictures because of lingering data issues.
Choosing a Provider
Major hybrid cloud providers are already working with clients around the world to prepare them for GDPR. IBM, for example, has introduced Cloud Secure VirtualizationOpens a new window , which works on single-tenant bare metal servers. The group also has recently launched a new support model and capabilities for its cloud data center in Germany, designed to help restrict access and give clients more transparency over where their data is stored.
Using servers located within Europe can also help clients meet requirements to store data in an EU jurisdiction. It remains acceptable for EU data to be hosted by non-EU cloud providers, as long as these service providers maintain compliance with the GDPR.
The bigger cloud computing providers are already offering their clients localization guarantees. Amazon Web Services, for example, allows customers to stipulate the location data within the EU or even to specify particular member states. The bigger providers should be ahead of the game, but if a company has more specific contractual requirements that cover storage, the generic offering from larger providers may not be sufficiently capable of being customized.
As with other types of European legislation, a situation can arise where individual EU member states may add further requirements on top of those set out in the regulation. Whether this affects an enterprise will depend on the sort of business it is doing with clients in these countries, although for most US firms, a more generic cloud-based solution should suffice.
It is worthwhile for an organization to conduct a full data risk assessmentOpens a new window in order to make sure its data storage is GDPR compliant, and in the case of a large business, to create the role of a data protection officer, responsible for overseeing its data storage. This is especially important if the storage includes CCTV images or profiling data.