Whether your organization is based in Europe, has operations in Europe, or handles data pertaining to EU residents, a proposed EU regulation in the works will have a significant impact on which cloud services you use and how you use them. The EU GDPR (General Data Protection Regulation) is expected to be passed this year and take effect beginning in 2016.
The law is meant to replace the EU Data Protection Directive adopted in 1995 and modernize the original directive for the Internet era. Under the proposed law, liability for data breaches and violations of the law will be shared between data controllers (organizations that own the data) and data processors (such as cloud providers that store the data).
The proposed law governs how organizations treat the privacy of personal data and has far-reaching implications in an era where companies manage enormous amounts of data ranging from names, email addresses, phone numbers, and computer IP addresses. The penalties for violating the proposed law can be severe – up to 5% of a company’s annual revenue or up to €100 million, whichever is higher – and many cloud providers in use today are not prepared to meet the new requirements.
The right to be forgotten
One of the most well-publicized and controversial amendments to the proposed regulation is the right for individuals to request deletion of data identifying them. When you consider that the average organization uses 738 cloud services, complying with this requirement presents some unique challenges. First, organizations must notify individuals and receive their consent before storing or using personal data in any way. If those individuals request that data be deleted, organizations are legally required to permanently delete all copies of the data. That includes all copies that may be stored by third party cloud providers. The problem is 63% of cloud providers maintain data indefinitely or have no provisions for data retention in their terms and conditions. Another 23% of cloud providers maintain the right in their terms and conditions to share data with another third party, making it even more difficult to ensure all copies are deleted because of the numerous parties with whom your cloud providers shares data.
Data center location and residency requirements
The General Data Protection Regulation requires that you do not store in or transfer data through countries outside the European Economic Area that do not have equivalently strong data protection standards. Those data residency requirements also apply to cloud providers with data centers around the world, which in the normal course of operation may transfer and store data in countries that do not meet European privacy rules. The list of countries that satisfy EU privacy requirements today is very short, at only 11 countries. Notably absent from the list is the United States, where 67% of all cloud services are headquartered. However, the current EU Data Protection Directive offers an exception to use the 8.9% of US-based providers that have Safe Harbor Certification and it’s expected the proposed regulation will support this provision as well.
For an overview of current EU data privacy regulations view our Slideshare:
Breach notification, encryption, and passwords
A draft version of the proposed regulation requires you to notify EU regulatory authorities within 24 hours of a data breach, even if the breach occurs in a third party cloud service. How do you know if there is a data breach in a cloud service? The answer is you may not know. Many cloud providers expressly put the responsibility on the customer to detect breaches. You should carefully read the terms and conditions before signing up for cloud services you plan to use to store personal data.
Some existing regulations including the UK Data Protection Act of 1998 and France Data Protection Act allow you to circumvent breach notification requirements if data is made inaccessible to third parties using encryption. Today, only 1.2% of cloud providers provide encryption using tenant-managed encryption keys but a new generation of cloud encryption tools are providing organizations with more options.
Existing European data privacy laws also require that you take steps to protect personal information. For instance, the France data protection authority CNIL recommends strong passwords, secure workstations, network security, and information security training. This is one area in which failing to utilize proper security procedures can cause you to be found negligent, increasing the cost of fines after a security breach is reported.
The challenge is that not all cloud providers offer tools to secure data natively. In fact, only 2.9% of cloud services enforce secure passwords. A higher number (7.2%) support SAML integration with single sign-on providers such as Okta, OneLogin, and Ping Identity. Look for these services when procuring new services since they will allow you to leverage SSO to enforce secure password policies.
The General Data Protection Regulation does not go into effect until 2015, but Skyhigh CASB’s CloudRegistry of over 7,000 cloud services shows that today only 1 in 100 cloud providers meet all the criteria outlined above. Looks like there’s some serious work to do before this regulation goes into effect.