Reducing scope of GDPR is one way to avoid fines

The General Data Protection Regulation has meant that the age-old debate about the adequacy of security in the cloud has reared its head again, with a recent eperi study of 250 IT security professionals indicating uncertainty when it comes to cloud security in relation to the regulation. It found that 53 per cent of respondents felt GDPR data security requirements would keep them from putting sensitive data in the cloud. For the majority (85 per cent), this was due to their lack of confidence in the protection of sensitive data.

Fines under the regulation seem to be the main driver for meeting compliance and have companies running scared from the cloud, as it’s likely to be an organisation killer for the worst offences.  In fact, 72 per cent noted that they would have to re-evaluate their data security requirements in the cloud because of the regulation that comes into force in May 2018. But with all of this hype, organisations must not forget that if they first and foremost secure the data that goes into the cloud through encryption or tokenisation and remain in control of the encryption keys, the scope of GDPR can be significantly reduced.

Encrypting data

The enterprise’s legal, risk and compliance teams must essentially become the custodians of the business and apply corporate governance.  Where once IT security controlled the IT and data security, the scales have tipped in favour of compliance and it is becoming a massive driver for any business decision involving sensitive data.  IT departments now need to become the implementers of solutions that meet these data compliance requirements.

Encrypting or tokenising data means that it is scrambled by an algorithm to such an extent that it is rendered unusable to any unauthorised party attempting to access it.  The only way to decrypt the data is to use a key, which ideally should be under the control of the organisation who owns the data. 

Currently, this is where many companies fall down in relation to GDPR, as 54 per cent admitted that they rely on their cloud or Software as a Service (SaaS) provider to encrypt data and just over half (51 per cent) think that it is acceptable for the solution provider to control all or part of the encryption keys.  

Where 54  per cent rely on the SaaS vendor for encryption, this is usually for 'data at rest', which under GDPR is only a subset of the 'comprehensive security' guidelines and recommendations which specifies the protection of PII and sensitive PII 'data in motion', 'at rest' and 'in use'.

The key here, and something that is very well laid out in GDPR principles, is data control.  Specifically, if sensitive encrypted data was intercepted or compromised - can it be reversed? If the answer is yes, then it is still regarded as data and therefore it is treated as data and is subject to GDPR principles.  

In the past, this has been interpreted as a general Data Residency requirement on a country by country basis, with different mandates depending on location and jurisdiction.  With GDPR, the guesswork is taken away and the onus is very much on the organisation as a data controller to assume the ultimate responsibility for its PII and sensitive PII data when using third-party data processor systems.

In the event of data compromise or loss, if the organisation is in full control of its own encryption keys, it can avoid the notification step altogether if the data is unreadable to the world outside the organisation. In contrast, if the cloud or SaaS provider controls the keys and they are breached, then there is no way to be certain the organisation’s data is safe - and notifications and fines ensue.

Tips for businesses as Data Controllers

For modern business, the emphasis is shifting and it’s not a question of how safe is my cloud SaaS data centre, but rather about the data itself. A responsible and well-organised enterprise will understand all of its legal compliance requirements and take the appropriate steps to meet these requirements - perhaps now motivated by fines of up to 4 per cent of global revenues and data breach notification naming and shaming and resulting brand damage.  This can be covered in three basic steps:

1) Understand what data is going to the cloud – is it business critical?  Does it include personally identifiable information (PII) such as names, contact details financial or heath records, purchase information; or sensitive PII data: salary information, racial/ethnic origin, sexuality, religious beliefs etc?

2) Data classification -  Know what data is subject to which legal or compliance requirements by geography

Bear in mind, too often historic tools for managing compliance, such as Data Leakage Prevention (DLP) or now Cloud Access Security Brokers (CASB), act as barriers and block information before it enters the cloud and that is unhelpful to modern business. Instead, organisations should focus on technology solutions such as Cloud Data Protection (CDP) solutions that can encrypt or tokenise the PII data itself, even in motion to the cloud, at rest and in use, and make it useable to organisations by offering advanced search and sort functionality.  Importantly, the control – for example, encryption key management – should always be fully retained by the organisation and not the SaaS vendor in order to meet compliance and data control standards. 

Forrester recently released its Cloud Security Solutions Forecast that shows the cloud services market is set to soar from $114 billion in 2016 to $236 billion by 2020. Its rapid growth is also driving the market for cloud security tools, which Forrester estimates will increase from $1 billion in 2016 to $3.5 billion in 2021. Furthermore, the report notes that businesses are starting to recognise a lack of adequate key management among cloud providers, making key management a bigger priority for time and resource allocation.

Only by realising that data control is the biggest issue for GDPR compliance, and taking steps to classify and then implement advanced cloud data protection solutions before the PII and sensitive PII data moves outside the organisation’s control and introducing a system for controlling the data, can compliance and security live in harmony. If managing corporate risk means there will be no need for data breach notification in the event of data compromise, assuming the principles of data pseudonymising have been met, it reduces the scope of GDPR and becomes a sure a step in the right direction.  

Ravi Pather, Senior Vice President, eperi GmbH
Image source: Shutterstock/Wright Studio

You can find the rest of our GDPR coverage on this link.