The European Union (EU) contains 28 countries and it has some of the strongest sets of data protection regulations in the world. These don’t just affect organisations based in Europe, but anyone who deals with PII (personally Identifiable Information) of any citizens of those 28 countries. In this globalised world, that probably means you!
Organisations which hold this information need to conform to the current EU Data Protection Directive (and in future, their likely even stronger EU General Data Protetion Regulation). The directive includes requirements to keep the data secure and that the data must not be exported outside the European Economic Area except to countries or organisations that have signed up to equivalent privacy protection.
There is a list of countries with equivalent protection including Argentina, Canada, Israel, Switzerland and New Zealand. Data can be exported to the USA if the company the data is sent to has signed up to the US Department of Commerce’s Safe Harbor scheme. Sadly, less than 9% of US cloud service providers have signed up to the Safe Harbor scheme.
Skyhigh’s Q3 Cloud Adoption and Risk in Europe Report looks at the cloud service providers used by employees in European organisations and 74.3% of the providers do not meet these stipulations – so any organisation sending PII to these service providers is breaking the EU Data Protection Directive.
At present, fines for data loss can be up to $800,000, though the proposal is that the new regulations will increase this to 5% of turnover. Anyone who has data on EU citizens should be taking a very careful look at their data safeguards and the contracts between themselves and any cloud provider that they use.
To read the full story including the top cloud services in use by European companies, destinations for data in the cloud, and risks, download the full report below.