Cybercriminals are opportunists just like any entrepreneur, meaning they go where the market takes them. And today, they’re not just building thriving dark web businesses selling stolen credit card data, they’ve developed a booming new market buying and selling consumers’ personal information.
Digital dossiers that include names, addresses, and Social Security info for creditworthy consumers are going for as much $80 a pop on the dark web — it’s reasons like this the European Union has passed stricter data protection laws going into effect in May 2018.
Under the General Data Protection Regulation (GDPR), organizations can be fined up to 4% of their annual revenue or €20 Million – whichever is greater – if they’re found in violation of the most serious infringements, such as not having sufficient customer consent to process data. GDPR’s new EU-wide rules apply to companies and cloud providers alike.
Does GDPR Apply to You?
If you’re a US-based company, you may be thinking you can breathe easy. But GDPR applies to all companies processing the personal data of people residing in the EU.
That means it doesn’t matter where your headquarters is located, it matters where your customers and prospects are. If you gather personal data from one EU resident, you’ve just fallen under GDPR and may be subject to maximum revenue fines if something goes awry.
Three Important Aspects of GDPR
If you find that GDPR is relevant to your company’s operations, there are three key areas you should be aware of.
- The first is the requirement of a Data Protection Officer. The DPO is responsible for ensuring the firms compliance with GDPR and must be of a sufficiently high level to be able to design and implement the company’s compliance program. Many smaller and medium sized companies do not employ an employee in that role at that level, if at all.
- The second key requirement is pseudonymization -- requires a firm dealing in data from a EU citizen to adequately remove any personally identifiable information. This can be problematic for companies that use marketing automation software or other similar services such as Google Analytics.
- Third, a controversial tenet of the regulation is the “Right to Forget” clause that requires firms to remove all record of an EU citizen if requested, including many pieces of data including website visits and IP addresses. It has engendered much debate and has many unresolved questions like how to treat backups and legal enforceability.
How Cloud Providers Are Preparing
Since part of the responsibility for data security falls to the cloud providers hosting your data, AWS and Microsoft Azure have both released a great deal of information on how they’re complying with GDPR.
AWS made its preparedness clear in its white paper on GDPR, saying, “We can confirm that all AWS services will comply with the GDPR when it comes into effect in May 2018.” This includes the provision of compliant storage, data access controls and monitoring and logging, which the provider details at length in its paper.
Microsoft has also detailed how its solutions make it easier to comply with GDPR through Azure Active Directory access management and control and the ability to classify, label, and securely share information with other parties through Azure Information Protection. It also provides resources where you can learn how Office 365 is complying and enabling customers with built-in, audit-ready tools.
But the responsibility doesn’t all fall to cloud providers – in many cases, the buck stops with you, as the organization collecting and using your customers’ personal data.
How You Can Prepare
First and foremost, it’s wise to consult with your legal counsel regarding how you may be affected by GDPR and what you should do to prepare. If your company can’t risk a 4% revenue fine (who can?), it’s well worth seeking the proper channels to make sure you’re fully versed on GDPR and ready for this change.
To supplement that outreach, here are two resources to help you learn more and get your preparation underway. Microsoft Azure offers a GDPR compliance assessment that will help you evaluate your preparedness and recommends next steps.
In addition, the Information Commissioner’s Office in the UK has provided a 12-step process for preparing for GDPR.
Data Privacy Is Important – We’re Here to Help
While working with the Codero team is not a substitute for speaking with your legal counsel and conducting independent research, we’re here to help you ensure your infrastructure and systems are GDPR compliant.
Talk to us about how a hybrid multi-cloud strategy can help you leverage AWS and Azure’s compliant services to make your path to continued compliance smoother.