The EU General Data Protection Regulation (GDPR) aims to better protect the privacy of personal data for EU citizens. It’s considered the world’s most significant — and aggressive — data privacy law to date, and, with just over a year until it goes into effect in May 2018, it’s time for businesses to start taking it seriously.
Here’s why: it affects businesses in nearly every country in the world. Any company that markets goods or services to EU residents is subject to the GDPR, regardless of where it is located. Companies that violate this regulation can face charges of up to €20 million or four percent of their global revenue, whichever is greater.
To give an example of the impact of the regulation, consider these hypothetical fines that could come from failure to comply:
- General Mills -$164 million
- Apple – $8.6 billion
- HP – $1.9 billion.
These numbers are staggering and should serve as a wake-up call for businesses to start taking steps toward compliance.
Here are a few important steps to take in order to ensure companies are heading in the right direction.
First and foremost, educate your employees.
Our survey at this year’s RSA conference found that 51% of respondents have never even heard of the GDPR, and only 9% have detailed knowledge of the regulation. What’s more, 75% of respondents stated that their employer has neither informed them about GDPR, nor how the regulation might affect work processes. Only 9% stated that their company has offered plenty of information.
These numbers are concerning, and prove that companies aren’t taking the regulation seriously enough. Businesses must educate their employees about the regulation, and how it affects not only company data, but the personal data they share through their devices and the cloud services they use.
On that note…
Know the cloud services used within your organization
Our RSA survey also found that businesses severely underestimate the number of cloud services in use in their organization – over half (53%) of respondents estimated that there are less than 100 cloud services in use. In reality, this number is over ten times higher – our January Netskope Cloud Report found that enterprises are now using, on average, a total of 1,031 cloud services.
Even more concerning, 94.8% of cloud services are not enterprise ready, meaning they lack necessary security controls.,Because many companies lack visibility into their cloud service environment, this is an important next step in moving toward GDPR compliance.
Above all, remember this: you’re only as secure as your knowledge of your cloud service ecosystem. If one of your employees is using an unsanctioned, non-GDPR-compliant cloud service, your organization is at risk of failing to comply.
Know what data is in the cloud, both corporate and personal
It’s important that enterprises are aware of both the cloud services in their environment and the data resident in those services. This is not just limited to corporate data, but also to personal data (e.g., a user's PHI, PII). One challenge for organizations is that many, if not most, personal data for which the organization is legally responsible are found in emails and unstructured content like documents that are stored in cloud services not sanctioned by IT. The data are then downloaded and stored on mobile devices and shared with others outside the company, taking it out of the IT department’s direct control.
To become compliant, organizations must have insight into which personal data are processed by users and cloud services, prevent personal data from being stored in ways that violate security policies, and protect personal data when stored or processed through cloud services. Companies will need to implement measures to bring such cloud services under the visibility and control of the organization.
Make sure your cloud services are GDPR ready
Businesses have a long way to go before their cloud services are GDPR-ready. The January Netskope Cloud Report found that 66% of all cloud services do not meet the threshold for GDPR compliance, meaning they lack proper residency, privacy, and security controls to meet the requirements of GDPR. This percentage has decreased from the 75% we found in our June 2016 Cloud Report, but it’s a staggering number given the regulation goes into effect in just over a year.
Digging in further, the January report found that 82% of cloud services do not encrypt data at rest, 66% do not specify that their customers own the data in their terms of service, and 42% do not allow administrators to enforce password controls. Because these features are all required for full GDPR compliance, this is a problem that businesses must address if they want to avoid fines.
Whether you’re a European organization or a multi-national organization with European customers, the GDPR will have major effects on your approach to and use of the cloud. Having visibility into and control of your data are key ingredients in taking steps toward compliance in the coming fourteen months.