Nick Stringer - Five Key Things EU General Data Protection Regulation (GDPR) ...
EveryCloud_GDPR_Whitepaper_v2
1. The new EU General
Data Protection
Regulation (GDPR)
What these tough new laws
mean for your business and
its cloud services
2. EVERYCLOUD The new EU General Data Protection RegulationEVERYCLOUD
2
Designed to modernise and
strengthen data protection laws
originally drawn up before mass
Internet adoption, the European
Union’s General Data Protection
Regulation (GDPR) is on its way. The
new framework tightens up data
protection for individuals inside the
EU and also covers the export of
personal data outside it. Coming
into force this summer, EU member
states have two years to implement
GDPR, which features strict new
rules and punitive measures. UK
organisations need to start planning,
especially as so much sensitive
employee and customer data is now
stored or processed in the cloud.
Strict new data
laws: time for
action
3. The new EU General Data Protection RegulationEVERYCLOUD
3
‘Europe’s
biggest data
protection
shake-up for
20 years’
With a significant percentage of
businesses that use cloud services
reporting losing data – industry
analysts Aberdeen Group have
indicated that this could be as
high as 32% of companies 1 –
and the threat of cyber attacks
continuing to grow, the GDPR
places new and more onerous
responsibilities on organisations.
For example, data breaches must
be reported within 72 hours.
All privacy policies, procedures
and documentation have to be
robust and current at all times,
with the relevant data protection
authorities able to request them
at any time. Organisations of a
certain size will require a Data
Protection Officer, a role many do
not currently have. Organisations
will need to keep an accurate
and up-to-date information asset
register, maintain demonstrably
strong technical and procedural
controls over all data, and
manage privacy policies on an
ongoing basis that not only inform
employees, users and customers
how personal and confidential
data will be stored and processed
but also have their consent.
GDPR legislation will apply to any
company that handles European
Union citizens’ data, even if that
company is not actually based in
the EU.
One of the biggest changes is the
significant increase in financial
penalties resulting from a failure
to comply: up to four percent of
global turnover or €20 million
(£15.9m), whichever is the greater.
This, in itself, should be a catalyst
to take action now. At the simplest
level, this means asking questions
such as: Is two years long enough
for our organisation to plan, take
action and fully comply? What
exactly are the implications for the
cloud services we currently use?
And – perhaps most importantly
- how can I close the gaps in
my data protection strategy as
it relates to our cloud security,
data usage and identity access
arrangements?
Plan to protect:
data protection
gets serious
Welcomed by the European
Council as “a major step forward
in the implementation of the
Digital Single Market Strategy”,
the implications of the complex
GDPR framework for UK
organisations are serious. BBC
News has described the GDPR
as “the biggest shake-up of data
protection laws for 20 years” with
the stated aim “to give citizens
back control of their personal
data as well as simplifying the
regulatory environment”2 . Four
years in the making, in December
2015 the EU Commission,
Parliament and Council of
Ministers agreed the GDPR after
months of negotiations. The rules
come into force in 2016, with EU
member states given two years to
comply.
So what are the potential impacts,
and what should you be doing?
First, companies with more than
250 employees will need to
employ a Data Protection Officer.
In terms of urgency, the UK’s
Computer Weekly has reported
that while organisations may feel
they have “plenty of time to get
ready, the clock is ticking and it’s
later than you think.”3
1 Aberdeen Group research, “SaaS Data Loss: The Problem You Didn’t Know You Had”
2 BBC News, “What does shake-up of EU data laws really mean?” - Jane Wakefield, 14th April 2016
- http://www.bbc.co.uk/news/technology-36037324
3 Computer Weekly, “Do not delay, EU data protection changes on the way” - “http://www.computerweekly.com/feature/Do-not-delay-EU-data-protection-changes-on-the-
way
32%OF COMPANIES
REPORT
LOSING DATA
4. EVERYCLOUD The new EU General Data Protection RegulationEVERYCLOUD
A compelling
case for change
With the GDPR requiring that
all privacy policies, procedures
and documentation are robust
and up to date, the implications
for every function involved in
data handling are enormous.
Decisions on where you store
personal data covering customers
and employees, for how long,
and where and how you process
that data, are assuming far
greater strategic importance
to the enterprise. As more and
more companies depend on an
At least three issues
are converging here:
increasing number of cloud apps
and services to support their
operations, the Cloud Security
Alliance, “the world’s leading
organisation dedicated to defining
and raising awareness of best
practices to help ensure a secure
cloud computing environment”4,
says “From a cloud computing
point of view, these changes are
long overdue and will lubricate the
roll-out of utility-based computing
in the EU.”5
This is as much about
trust as it is compliance. A
recent Intel survey reported
that 72% of companies
cited “compliance” as their
biggest concern around
cloud adoption6, with the
CTO of Intel Security EMEA
commenting: “As we enter a
phase of wide-scale adoption
of cloud computing to
support critical applications
and services, the question
of trust within the cloud
becomes imperative…. The
key to secure cloud adoption
is ensuring sufficient security
controls are integrated from
the start so the business
can maintain their trust
in the cloud”.7 There is
clearly a growing awareness
of the potentially serious
consequences of a data
breach and the value of
those “sufficient security
controls” being integrated
fast - requirements
underlined by the demands
of the GDPR.
1Increased cloud
adoption
2 A far stricter
regulatory
environment
3A continuously
evolving threat
landscape
4 Cloud Security Alliance - https://cloudsecurityalliance.org/about/
5 Computer Weekly, “Do not delay, EU data protection changes on the way” - http://www.computerweekly.
com/feature/Do-not-delay-EU-data-protection-changes-on-the-way
6 Blue Skies Ahead? The State of Cloud Adoption – Intel report, 2016
7 Business Cloud News, “Only 13% trust public cloud with sensitive data – Intel survey”, 14th April 2016 -
http://www.businesscloudnews.com/2016/04/14/only-13-trust-public-cloud-with-sensitive-data-intel-survey
4
5. The new EU General Data Protection RegulationEVERYCLOUD
5
“The European Commission put
forward its EU Data Protection
Reform in January 2012 to make
Europe fit for the digital age.
More than 90% of Europeans
say they want the same data
protection rights across the EU
– and regardless of where their
data is processed. The Regulation
is an essential step to strengthen
citizens’ fundamental rights in the
digital age and facilitate business
by simplifying rules for companies
in the Digital Single Market.
A single law will also do away with
the current fragmentation and
costly administrative burdens,
leading to savings for businesses
of around €2.3 billion a year.
‘A modern and
harmonised data
protection framework
across the EU’
The Directive for the police and
criminal justice sector protects
citizens’ fundamental right to data
protection whenever personal
data is used by criminal law
enforcement authorities.
It will in particular ensure that
the personal data of victims,
witnesses, and suspects of
crime are duly protected and will
facilitate cross-border cooperation
in the fight against crime and
terrorism.”
The official texts of the Regulation
and the Directive were published
in the EU Official Journal in all
official languages on 4th May
2016. While the Regulation came
into force on 24th May 2016, it will
apply from 25th May 2018. The
Directive entered into force on
5th May 2016, and EU Member
States have until 6th May 2018 to
transpose it into their national law.
Source: European Commission > Justice
> Data protection > reform - http://
ec.europa.eu/justice/data-protection/
reform/index_en.htm
90%OF EUROPEANS
WANT THE SAME
DATAPROTECTION
RIGHTS ACROSS
THE EU
6. The new EU General Data Protection RegulationEVERYCLOUD
A
‘Discover
yourself’
‘A lack of
understanding’
when it
comes to
cloud services
The GDPR is providing many
organisations with added impetus
to prioritise what many call cyber
security and what is increasingly
termed cloud security and identity
access. At the end of 2015, CNBC
reported that around half-a-million
attack attempts were happening
in cyberspace every minute.8
Another report in late 2015 had
found that 25% of organisations
had experienced a cyber attack in
the previous 12 months, and the
majority of respondents – 51%
- were concerned about “a loss
of control over their data when
using public cloud services and
applications”.9 The threat of data
loss is real.
So, when it comes to the GDPR,
have you made any plans yet? Do
you already have a budget and/or
dedicated resources earmarked
for GDPR compliance, not least
as it relates to protecting the
employee and customer data that
you store, process or share using
cloud services? If you do, you may
be in the minority – and in any
Elsewhere in the same report on
cloud access and security, Gartner
comments: “Many enterprises
lack a complete understanding of
the cloud services they consume
and the risks they represent,
which makes compliance and
protection difficult... Even when
cloud services are known,
most enterprises struggle to
consistently verify compliance or
the secure handling of sensitive
8 CNBC, “Biggest cybersecurity threats in 2016”, 28th December 2015 - http://www.cnbc.com/2015/12/28/
biggest-cybersecurity-threats-in-2016.html
9 Sixth annual Databarracks Data Health Check Report, 2015
10 Gartner Report: How to Evaluate and Operate a Cloud Access Security Broker, 08 December 2015 |
ID:G00292468, Analyst(s): Neil MacDonald, Craig Lawson
11 Ibid.
case, this is an extremely complex
and constantly changing area.
“Enterprise goals for security and
regulatory compliance are some
of the more difficult enterprise
requirement areas complicating
the selection of cloud services,”
says industry analysts Gartner,
Inc. - adding that although many
cloud applications may have a
similar look and feel, “they differ
significantly in ways that affect risk,
and their risk considerations may
change over time. Furthermore,
for most cloud service categories,
dozens of options are available to
organizations. Enterprises need
to continue to understand and
verify the compliance and security
posture of this cloud service.”10
While some organisations
may already have an in-
house Data Protection Officer
or Information Security
Officer, many more do not.
Do you currently maintain
an accurate and up-to-date
information asset register,
and are you confident that
you have strong technical
and procedural controls over
all of the data you store or
process? Your cloud security
and identity access policies
must not only be strong
enough to have an impact,
they will also need to be
monitored, enforced and
refreshed on an ongoing
basis. And remember, if a
data breach occurs, you
will not only have to notify
relevant data protection
authorities within 72 hours:
if the leaked data is likely to
impact on the rights of the
individuals involved, you must
also notify them.
25% OF
ORGANISATIONS
HAVE EXPERIENCED
A CYBER ATTACK
data within and across these
disparate services. Enterprises
have no standardised way to
detect whether (and when)
compromised credentials or
unmanaged devices are used to
access cloud services.”11 This type
of situation cannot persist under
the GDPR.
6
7. EVERYCLOUD The new EU General Data Protection RegulationEVERYCLOUD
7
With so much to take on board,
the GDPR can seem a little
overwhelming - not least because
data protection and cloud security
are almost certainly not your core
business and nor should they be,
even though they are assuming
far greater strategic importance
to the business. In the majority of
cases, GDPR compliance will be
enabled by drawing on knowledge,
expertise and solutions from
specialist CASB (cloud access
security broker) companies such
as EveryCloud.
The first step is discovery: to
better understand the risks you
face in terms of the data you
hold or process, and any data
loss prevention (DLP) issues that
might conceivably lead to a lack
of compliance now or regulatory
infringements later; to reveal key
obstacles to compliance and to
rapidly identify ways to resolve or
remove them. A valuable first step
on the road to GDPR compliance
is asking six simple questions
about your business; you may be
surprised by the answers.
- Where do our cloud apps
process and store data?
- Do our apps adequately
protect data from loss,
alteration and unauthorised
processing?
- Have we executed a data
processing agreement with
the cloud apps that we use?
- Do our apps collect only
“necessary” data - and limit
processing of “special” data?
- Do our cloud vendors forbid
use of personal data for
other purposes, such as
third party sharing?
- Can we erase the data when
we stop using an app?
Towards GDPR
compliance:
first steps
8. The new EU General Data Protection RegulationEVERYCLOUD
8
Inactivity is not an option.
With cloud security provider
CloudLock reporting that
shadow IT applications create
a ‘perfect’ group of three risks:
“data loss through unauthorised
channels, injecting malware to the
environment and compromising
users’ identity”, Gartner, Inc. has
also made a Strategic Planning
Assumption that “by 2020, 85% of
large enterprises will use a cloud
access security broker solution for
their cloud services, which is up
from fewer than 5% in 2015.” 12
12 Gartner Report: How to Evaluate and Operate a Cloud Access Security Broker, 08 December 2015 | ID:G00292468, Analyst(s): Neil MacDonald, Craig Lawson
13 Gartner Says 6.4 Billion Connected “Things” Will Be in Use in 2016, Up 30 Percent From 2015, 10 November 2015 - http://www.gartner.com/newsroom/id/3165317
Driving GDPR
compliance: the
EveryCloud approach
Action is being taken now, and
the scale of the challenge in data
protection will only increase: in
terms of the connected Internet of
Things (IoT), Gartner has predicted
there will be 6.8 billion connected
devices in use in 2016, a 30%
increase compared to 2015.
By 2020, Gartner says, that
number will have risen to more
than 20 billion connected devices.
During 2016, “5.5 million new
things will get connected every
day”. 13
“By 2020,
85% of large
enterprises
will use a cloud
access security
broker
solution”
6.8 BILLION
CONNECTED
DEVICES IN USE
IN 2016
9. EVERYCLOUD The new EU General Data Protection RegulationEVERYCLOUD
9
Comply
Policing and enforcement are crucial to protect your organisation and
its data, avoiding regulatory intervention, costly fines and reputational
damage. You need to make a full commitment to monitoring and
managing all cloud apps and services, including file content monitoring
to locate and report on all regulated data including financial and
customer personal data, to ensure compliance in data protection.
This includes GDPR compliance, PCI and credit card security.
Certify
So long as the threat landscape continues to change and new
regulations come into force, an all-encompassing cyber security and
data loss prevention (DLP) strategy will remain critical. A planned
programme of review and recommendations drives the regular
scrutiny and refresh of policies and procedures, regardless of the data
involved and for any app, cloud service or provider.
Improved understanding should inform development of the most
appropriate access, identity, data usage and security policies, and also
educating employees on the threats, raising awareness and changing
behaviour if necessary. The business has to be fully aware of where its
cloud apps actually process and store data, and if those apps provide
the appropriate protections for personal user/customer data against
unauthorised access, loss and alteration. The right policies can include
firewall, email and data loss prevention (DLP) strategies, to manage,
restrict or deny access, and revoke sharing as needed – while avoiding
any negative business impacts.
Aware
Discover
It is crucially important to understand the true costs and risks you face,
which means identifying the unsanctioned and shadow IT that might
compromise your security, result in data breaches and lead to GDPR
penalties. Activity can include a comprehensive Cloud Audit, Security
Assessment and Cloud Expense Management exercise, taking an
in-depth look at the apps and cloud services you use, analysing traffic
patterns, examining how your people access the cloud, while also
locating sensitive and at-risk data, and understanding the imminent
and longer term threats.
The optimum approach to
cloud security and identity
access security, in pursuit
of GDPR compliance,
should align with the
demands of your business,
the security risks you face,
and the real-life needs and
behaviours of your user
community. The EveryCloud
approach is based on
four key elements, aligned
with but also extending
“the four pillars of cloud
access security” as defined
by Gartner: Visibility,
Compliance, Data Security
and Threat Protection. 14
With more than 100,000
apps already discovered
and the number rising
steeply, the process
starts with gaining an
understanding how your
app infrastructure holds
together and where the
vulnerabilities are hiding.
14 Gartner Report: Mind the SaaS Security Gaps, 03 October 2014 | ID:G00263947, Analyst(s):
Craig Lawson, Sid Deshpande
10. The new EU General Data Protection RegulationEVERYCLOUD
A
- Do you currently have all
the information you need to
plan for the GDPR effectively
– including the true breadth
and extent of data storage
and data processing
services you access and use
via the cloud, along with the
true extent of unsanctioned
and shadow IT in your
organisation?
- Do you actually know what
user/customer personal
data you hold, where it is,
and how secure it is?
- Have you already
documented and do you
enforce the most robust
cloud security, identity
access and data loss
prevention (DLP) strategies
and policies?
- Are there gaps in your data
protection strategy right
now – and do you know the
fastest and most effective
ways to close those gaps?
You can start your journey
to GDPR compliance now, by
asking the following questions:
In light of the GDPR and other pressing requirements, enterprises want to be sure they are
accessing and using essential cloud services - whatever services are required - in the safest
ways, avoiding any data leakage and preventing unauthorised data access and sharing at all
times. Of course, the price of failing to secure your data both in and out of the cloud can be
significant: from data breaches that fall foul of the GDPR to loss of intellectual property assets,
reputational damage and impacts on profits.
Conclusions
CALL 0800 470 1820 EMAIL discover@everycloud.co.uk WEB everycloud.co.uk