There is no doubt that GDPR is going to mean a monumental change in the way data is shared globally. And for all organisations it may result in large fines and a lot of bad press if they are seen to not be compliant. So what does GDPR really mean and how can you get your IT infrastructure and data sharing processes ready in time?
What is GDPR?
The EU’s General Data Protection Regulation (GDPR) is a legislative document by the EU to bring data protection legislation into line with new, previously unforeseen ways that data is now used. At present, the UK abides by the Data Protection Act 1998 but this will be superseded by the new legislation. GDPR will result in higher penalties for non-compliance and breaches, and gives the public more say over what organisations have access to their data and what they do with it.
One of the big compliance areas of GDPR will be around how organisations store and share data – and perhaps more importantly how they remove it when requested. Below are a few key points to consider when thinking about how to keep your sharing processes compliant.
Where is the data held?
Many organisations in today’s digital world have opted for the cloud as a key storage point for all or most of the organisation’s data. And often this is chosen as it is simpler, cheaper and makes access for all employees, regardless of location, very easy. However it is important to understand where your “cloud” is kept. Which country does it reside in? What are the security measures? What are the backup policies?
It is important to understand this at the outset, as you will be held responsible if your data is breached. And as the physical location of data becomes an increasing concern, a hybrid approach to cloud and on-premise may be a favourable option for many.
Can it be encrypted?
Protecting your data against ransomware is paramount and you will need to prove that you have taken all precautions possible to secure the data you hold about your customers. Who is going to manage the encryption of the data? If the data is in a public cloud it is important to understand whether or not you can still manage your own encryption keys and store them on your own server.
Many vendors have introduced customer-managed keys to address the issue of accessibility of data by the service provider. Almost all enterprise file sync-and-share cloud service providers encrypt customer data when it is stored in their service. Many of them also hold the data encryption keys. They do this for a very good reason — to facilitate the sharing of information between users and domains.
So if user A wants to share a file with user B, the service provider acts as a broker between the two — and to do that, the provider needs to be able to give user B access to the file.
However, there can be issues with this approach. If the cloud provider holds both the data and the keys, a hacker could get into the service provider’s data center and access both items. Or a rogue employee within the service provider’s organisation obtain the keys and the data, opening up a host of issues around potential security breaches. But if the customer manages the keys, the cloud provider cannot turn over the data it holds without subscriber knowledge — the subscribing company must be involved in the process. It also means a rogue service provider employee can’t access the files.
What happens to deleted data?
When GDPR comes into force organisations will need to be able to remove data from all locations if a consumer requests them to. So what happens in a situation where the data is spread across multiple users, devices and locations? Organisations may need to look into the ability to allow users and admins to sync all files and folders without moving them to one central location.
Because in the unfortunate event your company or a user is breached by ransomware, you have back-ups of every file in every folder, not just the few files the team remembered to copy to the single sync folder. This approach will provide the public with the knowledge that if they request for their data to be removed it will quickly be deleted from all locations.
It will be all of these combined factors, along with others, that will help organisations to start on their way to becoming GDPR compliant. It may seem like the deadline is months away but it will creep up sooner than we know, and now is the time to get ready. And it is also important not to forget that it will also take employees time to get to grips with this new way of working, so the longer you can give them to make that happen, the better.
Richard Farnworth is UK country manager of Axway