According to the European Commission, the General Data Protection Regulation (GDPR) has been a success in the two years since its inception. Yet many still believe that the regulatory requirements aren’t clearly understood or adequately applied when it comes to data stored in cloud databases.
For cloud service providers, and organizations that use them to process data stored on servers, the waters of the GDPR can be somewhat murky since data can be stored in multiple locations. To navigate through the GDPR today, organizations using the public cloud must first understand what it is and then consider the steps they need to take to be compliant.
GDPR in 2020
The GDPR is a privacy and security law that was passed by the European Union (EU) in an attempt to restrict what personal data could be collected and processed from people located in the EU.
It was introduced in May 2018 for people to regain some of their privacy, and as more personal information is moved online, the need for the GDPR and other similar regulations becomes increasingly important.
According to GDPR.EU:
If you process data, you have to do so according to seven protection and accountability principles:
- Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject.
- Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
- Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.
- Accuracy — You must keep personal data accurate and up to date.
- Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
- Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality.
- Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.
Additionally, from a data security perspective, organizations must apply “appropriate technical and organizational measures” to ensure data is handled in a protected manner. These measures could include things like configuration standards regarding passwords and encryption.
Unlike when it was first introduced, 69% of the population above the age of 16 in the EU have heard about the GDPR and a further 71% have heard about their national data protection authority. These people now have a clearer understanding of the data they are sharing with organizations and where they should go if they need to file a complaint.
The GDPR will continue to mature as the public educates itself about data privacy. Consequently, enterprise companies need to be aware of the challenges they will face in cloud computing and how to overcome them to remain compliant.
The Challenges of GDPR Compliance in Cloud Computing
Security and privacy remain the greatest hurdles to overcome as enterprises move to the cloud.
With so much sensitive information stored in cloud databases that can be scaled up and down when needed, it can be hard to determine the exact locations where the data resides. In fact, locating unstructured personal data was cited as the most challenging aspect of facilitating access to subject data according to 56% of organizations. Additionally, enterprises may find themselves following the rights and regulations in one jurisdiction but remain unaware of the regulations in another.
The GDPR stipulates that an organization can’t store data for longer than it is needed and that it should be deleted after its predefined purpose has been served. Unfortunately, this is another challenge of complying with the GDPR in the cloud as providers can store the original data in one location and backups in another, making it difficult to know if these data deletion steps have been properly followed.
In regard to data security, GDPR best practices include encrypting data at all times and setting up access controls to limit employees’ exposure to customers’ sensitive personal information. In the public cloud, this can be tricky for enterprises to track and confirm.
Without a clear way of overcoming these initial challenges, organizations struggle to deal with other issues such as creating a system for responding to data breaches and keeping customer data safe.
How to Implement GDPR Compliance in the Cloud
To successfully implement the GDPR and ensure database security, consider the following:
- Implement solutions with privacy in mind. Organizations should be completely aware of the privacy rights in jurisdictions not only where they operate but also where the data they’re responsible for is stored. By knowing requirements for privacy early on, companies can take steps to prevent shortcomings down the road. This includes fully understanding the security protocol the cloud provider implements and whether it accommodates the organization’s security needs and is inline with the GDPR. For example, a multi-country cloud strategy may be warranted to comply with GDPR adequacy requirements; alternatively, additional data protection safeguards may be required.
- Inventory data often. Identifying what data an enterprise has as well as where the data is stored can help ensure compliance in multiple jurisdictions as well as provide proof that data was deleted in accordance with retention guidelines. Businesses will need to know the geolocation of every database and its backups in addition to knowing when database changes occurred. Not only is it important to have a complete current picture, it’s also crucial to have a historical perspective that can provide assurance of compliance over time.
- Regularly conduct and review vulnerability assessments. Understand how data could be accessed and the steps your organization can take to protect it. Only by knowing how and where data is vulnerable can organizations continually take steps to mitigate the risks. This includes ongoing database configuration checks, looking for unauthorized access points, confirming whether data is encrypted and more. Conducting these assessments allows organizations to determine the best way to ensure database security and find solutions that meet GDPR requirements.
The GDPR has been challenging to deal with for some organizations, and the results aren’t perfect yet. However, by planning for privacy, understanding where data is located and carrying out regular assessments, organizations can ensure compliance now and in the future.
With so much on the table, it’s worth getting help. Security tools exist that make the process easier. SecureCloudDB, for example, is built specifically for the public cloud and is designed to provide compliance assurance. It draws a full inventory of an enterprises’ databases and their backups, showing where they’re located, what rules apply, what’s changed and whether they are encrypted.
SecureCloudDB’s security violation assessment helps ensure data is handled in a protected manner by revealing misconfigurations. Alerts will notify users of suspected malicious activity or breaches. Comprehensive intel provides a past and present perspective. Easily communicate results to both technical and non-technical stakeholders in order to prioritize actions, document the plan and verify changes with SecureCloudDB.