Cloud GDPR compliance: Partners note lack of urgency among clients
Cloud firms work busily to align their businesses with Europe's data protection legislation, but many observe a lack of urgency among clients in face of the hefty GDPR penalties.
With the European Union's General Data Protection Regulation in effect as of May 25, cloud partners have their hands full as they work to educate themselves and their clients on becoming GDPR-compliant.
The legislation is designed to give European residents more control over their personal data and lays out requirements for data collection, storage and use. U.S. companies that process personal data from European residents and don't comply face GDPR penalties as high as 4% of their annual revenue or $20 million euros, whichever is greater.
But GDPR has raised issues beyond compliance that all businesses need to consider. Although today only around one-third of U.S. internet users are concerned about how their personal data is shared, according to statistics firm Statista in the Altimeter Research report, "GDPR Beyond May 25, 2018," that figure could increase once GDPR is demonstrated overseas.
Meanwhile, Gartner has predicted that more than half of companies impacted globally by the GDPR will not be in full compliance with its requirements by the end of 2018.
Cloud partners perform internal reviews
Some partners said they are prepared both as data processors on behalf of their clients and as data controllers to assist clients in meeting their GDPR obligations.
Managed cloud provider Rackspace has established a Privacy and Data Protection offering around GDPR compliance and is continually reviewing it for consistency. The GDPR services program helps identify and protect a customer's sensitive data such as intellectual property, customer payment information and personally identifiable information (PII), while meeting compliance requirements around securing data at rest.
"The significant thing for businesses to remember ... is [GDPR] is applicable to any business that provides services and goods within the EU or to EU citizens," said Danny O'Neill, head of managed security for the EMEA region at Rackspace. "That's regardless of whether they have a physical footprint inside the EU. If they're providing goods and services and holding data on EU citizens, then they're subject to the GDPR," he said.
The same goes for service providers, which must demonstrate they have an appropriate level of internal security.
Services providers that work with third-party vendors that have access to PII must update their agreements to ensure GDPR compliance. SpringCM, a cloud document management provider and Salesforce partner, is analyzing its contracts with vendors that may have PII access, said Erik Severinghaus, SpringCM's chief strategy and alliances officer. The company has created fields within the platform to ensure those vendors that do have PII access have not only been sent an onward transfer agreement but have signed it.
That way, the firm can demonstrate to regulators it has structured business processes in place, he said. It's not good enough just to show that SpringCM has updated agreements with their vendors, he added. "Every company has to designate an individual who has accountability for all data protection within your organization" and that person has to be identifiable to European regulators, Severinghaus said.
Like Rackspace, hybrid IT service provider Ensono has developed a secure development lifecycle framework as part of its compliance effort. The firm is also conducting training and awareness with its technical team to help them understand how GDPR applies to everything they design and modify, said Charles Nwasor, director of global assurance and advisory at Ensono.
Additionally, Ensono is developing documentation to explain the GDPR compliance work they've done on the back end to clients, Nwasor said. "Our obligation is to ensure our products are securely designed and have the capacity to incorporate technical control modules like cryptography for secure transmission and access control," he said.
Avoiding GDPR penalties: The 99 articles
Rackspace offers security services to help businesses demonstrate they have measures in place to meet GDPR compliance. The regulation contains 99 articles, and O'Neill said the firm is "honest that we cannot solve all of those as one technical solution." Rackspace can manage the encryption portion for customers, he said. But he stressed that reaching compliance has to be a combination of technology, internal processes and organizational structures within organizations.
Other cloud partners said they can assist with a portion of the regulations. Cloud infrastructure governance vendor Fugue, for example, provides GDPR services for infrastructure configuration, such as the use of encryption, network rules and access privileges, said Josh Stella, Fugue co-founder and CEO. There are also application-level regulations within the GDPR, but Fugue is not focused on those, he added.
GDPR compliance challenges
While cloud partners say they are doing their due diligence, some question how ready some of their customers are to become GDPR-compliant.
Rackspace is "on our journey to meeting the GDPR requirements and protecting the data we process," O'Neill said. However, "one of the concerns I have for a lot of customers ... is the ability to first detect a breach, but more importantly, the ability to respond to a breach, assess the impact and be able to notify the authorities a breach has occurred," he said. GDPR now puts that responsibility on the data controller to notify the country's relevant authority within 72 hours.
"What we're finding in talking with our customers is figuring out the unstructured data," Severinghaus said. "How to comply with GDPR with the documents in your infrastructure is potentially the hardest part of this."
When it comes to IT infrastructure -- where Fugue plays a role -- GDPR requirements are fairly straightforward and easy for customers to understand, Stella maintained. "But understanding [requirements] is one thing; implementing and enforcing them is the challenge."
Fugue helps customers inspect existing infrastructure to ensure it meets security and compliance policies. The company also examines how customers can validate compliance before provisioning and how to ensure nothing that violates GDPR compliance gets created without slowing down operations with time-consuming reviews, he said.
Common pitfalls of working with customers
One of the challenges faced by businesses subject to GDPR compliance is that the whole data discovery phase seems daunting, O'Neill said. "One of the first exercises, and probably the most challenging, for a business in the modern environment is [to determine], 'What data do I hold?'"
The company must then identify what data is personal and where it is stored. For some businesses that can be a very onerous task, he said.
Rackspace sees this as a shared responsibility between itself and the customer, O'Neill said. He mostly deals with European-based businesses and said in the past year there has been increased awareness about GDPR. "We've had a lot of positive conversations with businesses, and they're very receptive and want to understand what they need to do and what we're doing."
Erik Severinghauschief strategy and alliances officer, SpringCM
But others don't think companies are taking the regulation and potential GDPR penalties seriously yet. "Although GDPR is increasingly becoming a four-letter word and people are talking more and more about it," Severinghaus said, "we think there's still too much complacency out there."
Stella concurred. "There does seem to be some confusion and differing opinions about what GDPR enforcement will look like and the nature of what the May 25 deadline really means," he said.
Under GDPR, individuals will have the "right to be forgotten" when it comes to their personal data. Severinghaus said when they talk to prospective clients and ask what they are doing about that, "a lot of companies still don't have good answers to that question. It's shocking to me how many people we go in and talk to don't have good answers to basic questions."
He's still "waiting for that 'aha' moment ... with the industry as a whole," he added.
One of the biggest challenges is getting multiple business units to coordinate and work together toward the goal of being GDPR-compliant, he noted. "It's the hard work of getting teams of our customers in same room to understand the problem at the scale of the company," Severinghaus said. "Once everyone has agreed to solve it in the room, none of these things are technically difficult."
Another concern some partners have is that GDPR is subject to broad interpretation. "Because the law is not superbly prescriptive ... there's too much room for divergent interpretations" when it comes to areas like the requirement for companies to implement technical and organizational controls, Nwasor said. The focus should be on a risk-based approach, he said, but some companies may end up doing too much or too little.
"I've personally seen companies that think all they need to do for GDPR is hold an awareness seminar for employees and they're fine, and that's not the case," he said.
Like Severinghaus, Nwasor said Ensono sees a lot of companies not taking the regulation and potential GDPR penalties as seriously as they should, "so there's very limited awareness or action taken." He said Ensono also has clients and third-party partners that have been sent the addendum to their existing contracts but are not responding.
The client's responsibilities vs. the cloud partner's
It's important, Nwasor said, that clients understand the roles and responsibilities of a service provider that designs or provides products and services. "Our responsibility is only to an extent," he stressed. "Clients are responsible for being compliant."
O'Neill noted that existing data regulations today in the U.K., Western Europe and the U.S. "are already some of the strictest in world" due to existing compliance frameworks. He said businesses should look at what they already have in place because they can map that to GDPR with some adjustments.
"My message is yes, this is new and significant and will impact how businesses protect data, but the first thing businesses should do is what you already do today," O'Neill said. "If they're already adhering to strict data regulations and they already adhere to compliance frameworks, they can map across to GDPR ... that enables them to focus on gaps as opposed to treating this as an entirely new exercise."