The General Data Protection Regulation (GDPR) was adopted by the European Commission to unify and strengthen data protection for all people of the European Union. It provides a single set of data collection, storage and use regulations for all companies to abide by. This infographic from the European Commission nicely summarizes the GDPR, though it makes claims about its benefits to business that some are skeptical about.
Passed in April 2016, the GDPR takes effect May 25, 2018. Ostensibly, this should make doing business easier, and most believe it ultimately will. At this halfway point to becoming the law of the land in Europe, complying with the GDPR is proving to be the challenge for companies of all size. In no realm are the difficulties more evident than in cloud computing. That’s our focus here.
Why GDPR Compliance is Difficult in the Cloud
There are two primary reasons why Cloud providers are sweating the deadline for compliance in the face of the high cost of getting there, the potential loss of customers and the threat of fines as high as 5 percent of their annual revenue.
First, a recent study showed that only 1 percent of Cloud providers had data practices complying with the regulations that will soon be cemented into place. To highlight the problem, only 1.2 percent of Cloud providers give users encryption keys that the customer manages. Just 2.9 percent have secure password enforcement that is robust enough to pass GDPR muster. The number is better, 7.2 percent, for Cloud providers with proper SAML integration support. When starting with such small percentages, it’s not hard to see why few companies hit the mark for all three of these GDPR criteria.
Secondly, European businesses that make use of Cloud provider services use an average of more than 600 cloud apps. According to the Netskope Cloud Report, “Organisations underestimate this figure by about 90 percent. This is shadowed IT in a nutshell, and of course, raises the question of how cloud-consuming organizations can ever hope to comply with the GDPR if they don’t know 90 percent of the apps people are using.”
The adage that the person who doesn’t know that he doesn’t know is a fool and should be shunned applies to businesses as well. When a company uses non-complying apps as part of its cloud storage, likely without knowing, it will first be heavily fined by the EC and then shunned by customers when exposed. This also goes beyond Europe itself. If your company has customers that are from Europe, then you’ll have to comply with these new standards, no matter where you are. Even tiny companies from the other end of the world, like this practice management software from Australia, will have to get in line – even if their software is used locally, one of the customers could be from Europe, and then you’re in for a treat. That’s the doomsday scenario that has CIOs and IT managers waking up in a cold sweat to the sound of their own shrieking.
Next-Generation Cloud Computing
Data controllers, they are also called data owners, are the banks, credit card services, retail stores, health providers, charities, membership organizations and every other business or NPO that collects data from individuals. Data processors are the Cloud services providers. Until the implementation of the General Data Protection Regulation, the data owners bear responsibility for protecting the data, not the Cloud services providers. As of next May, when the GDPR rules apply, the two will share equal liability, and this has Cloud providers scurrying to determine how best to make sure that the data their customers are putting on their servers is properly protected within the bounds of the GDPR.
Given this scenario, how will the GDPR affect cloud computing in the coming era?
1. Protection: Ensuring Compliance
Both data collectors and processors will share liability for non-compliance, so they must both take action, some of which will inevitably be redundant. Andy Alpin of Netskope outlined app compliance on the Cloud Industry Forum:
- Know what apps are in use and know where they’re storing data. If it’s on servers in Europe, then compliance is essential.
- Use only apps that comply, and block or develop compensating controls for those that don’t.
- Formalize data processing agreements with app providers that demonstrate the ability to comply with the GDPR privacy requirements and allow you to fully erase information if you stop using the app
- Don’t collect more data than you need, and don’t permit the app to share it with third parties.
2. Competition: Leveling the Playing Field
Companies in Europe, the US and Asia will be playing by one set of rules rather than the 26 different sets currently in use by the 28 EU member states. The regulation will produce a level playing field for all. Once a Cloud services provider demonstrates that it complies with the GDPR, it will be attractive to data collectors of all sizes that want a safe place for Cloud functionality.
3. Price: Increasing Cloud Computing Cost
Competition brings costs down, but regulation drives them up, as does compliance. According to one industry journal, “The majority of public clouds keep costs down by relying on global, unregulated resources and will therefore probably need to invest heavily to meet the new regulations.”
For example, it’s expected that Data Protection Officers, along with an office full of staff for each, will need to be hired by 28,000 companies that fit the GDPR’s definition of those handling very large amounts of delicate data.
Enforcement will be extremely expensive. That’s why the fines for non-compliance will be enormous – to pay the salaries of those monitoring, investigating and enforcing the regulations.
While the cost of the GDPR won’t be analyzed for some time, early projections are in the billions, whether dollars, pounds or euros. Cloud computing cost will surely rise, and that cost will be partially passed on to all of us. However, spread out among billions of people, the increase might be small.
The Bottom Line for Cloud Providers, Customers and You
The most realistic scenario is that Cloud providers will in Europe get control of compliance issues by the May 2018 deadline. Their added costs will be passed on to their business customers, but those costs will be offset by fewer costly data breaches and more competitive pricing from global Cloud providers. The individual – all of us – won’t notice any change in cost or services, but we’ll have the peace of mind that our personal information is more secure than ever. While the EU won’t get to this point overnight, the transition doomsday warnings like won’t be realized.