freshidea - Fotolia


Strategizing cloud GDPR compliance for the content app stack

Box compliance president Crispen Maung discusses vendor-agnostic GDPR compliance tips for subscribers to CMS cloud services as they ready for GDPR enforcement in late May.

When it comes to GDPR compliance, what is the difference between having an enterprise content management system on premises vs. a cloud CMS provider? Cloud GDPR compliance, it turns out, has an extra step: Cloud enterprise content management customers doing business with EU citizens must document their cloud provider's data security methods, as well as their own.

To accomplish that, cloud CMS providers need to procure documentation that confirms their security measures are up to GDPR data protection snuff, as well as their ways of tracking and securing cross-border transfers of data.

For its customers, Box Inc. documents that it has put Processor Binding Corporate Rules and Controller Binding Corporate Rules into place and participates in the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks to provide a legally recognized way to transfer data across European borders.

That's one pathway to proving readiness for GDPR. Box also earned the ISO/IEC 27001 and ISO/IEC 27018 data protection certifications, as well as two German certifications -- the Cloud Computing Compliance Controls Catalogue, or C5, and the Trusted Cloud Data Protection Profile -- which includes an independent audit for compliance with the German Federal Data Protection Act.

Crispen Maung, compliance vice president, BoxCrispen Maung

Taken together, all those benchmarks represent years-long preparations to document cloud GDPR compliance, said Crispen Maung, vice president of compliance at Box. However your cloud CMS vendor does it, it's almost time for those service providers to show they are ready for the sweeping regulation that puts personal data ownership into the hands of EU citizens -- and holds companies accountable for how they handle it.

Tips for GDPR strategies

Box recently rolled out its Data Processing Addendum (DPA), a document it prepared to attest that all those certifications were earned, and that EU citizens' data is being processed and managed in a GDPR-compliant manner.

Customers can, in turn, attach their own cloud GDPR compliance plans. DPAs should be collected from all the cloud vendors in an organization's tech stack that touch customer data to confirm that they maintain GDPR compliance outside the organization's walls.

Maung, who has worked on Box's GDPR compliance preparation, offered a few more considerations for organizations that are using cloud CMS platforms and putting the finishing touches on their cloud GDPR compliance, regardless of the vendor they're using.

  • Examine your data access controls. Some Box customers may choose to use a feature called Box Zones to cordon off the data of EU customers; other CMS vendors may offer different configurations to accomplish similar goals. But that's just the start: Maintaining access controls to ensure that only the employees who should be working with customer data can access it is critical to compliance.
  • Understand your operations. Using cloud providers with GDPR-grade data security is just the start for compliance. You need to know who internally is using customer data -- and what they're doing with it -- and document it to prove it. "You have to show you have effective control over the data as it moves through your organization," Maung said.
    For many companies, erasing someone's data throughout its IT ecosystem upon request requires brand new processes.
  • Build right to be forgotten More bedrock GDPR: For many companies, erasing someone's data throughout its IT ecosystem upon request requires brand new processes. While some organizations may focus on CRM or marketing automation systems for these protocols -- because that's where much of this data resides -- don't forget that it probably extends throughout your enterprise content management system, too.

That last one, the right to be forgotten, may be a bigger task than it looks on paper, Maung said, because companies don't always know all the places where personal data resides on their network.

"They haven't done the analysis, necessarily, as deep as they should do," Maung said. "Also, they sometimes don't know how that data is being used in their organization -- how it's perforated the different silos and gotten spread across their entire organization."

The good news, he said, is that as many organizations move from on-premises CMS to the cloud, it forces them to see what data they have, where it resides and how it is handled by various teams. That is the opportunity to segregate and secure data using principles that represent the heart of GDPR compliance.

Dig Deeper on Content management software and services

Business Analytics
Data Management