Think GDPR Doesn’t Affect Cloud Service Providers? Think Again

Marc Sollars (pictured) is chief technology officer at Teneo, a global solutions provider and system integrator with U.S. operations based in Dulles and Richmond, Va., as well as Omaha, Neb.

If you have U.S. companies on your client roster, you may not think they’re affected by the European Union’s General Data Protection Regulation (GDPR) if their businesses are not physically located within the EU. But if they do any kind of business in that region, chances are GDPR applies to them.

The EU parliament passed GDPR in April 2016; it's scheduled to take effect in May 2018. Companies doing any business in the EU will be required to understand what personal data they have and collect on EU citizens, and adhere to specific legal obligations to protect that data.

For CIOs, the question of what data they have, where it resides and how secure it is will require some introspection, if not deep analysis. GDPR supersedes previous European notions of privacy and puts an EU citizen’s right to data privacy at the heart of the digital economy, encoding principles of "accountability" and a citizen’s "right to be forgotten" into law and commerce. Under the directive, any organization handling the data of EU citizens will become liable for managing all unstructured personal information held and processed on their networks or in the cloud.

But, what makes GDPR so demanding for CIOs is that most organizations have adopted cloud-based business processes (whether their own or by outsourcing to cloud and SaaS suppliers), bring your own device (BYOD) programs and social networks, with varying controls on personal data. Some observers estimate that around half of an organization’s data resides off-premise, so the IT team doesn't have as much visibility into data assets - or their final uses. Under GDPR, any company that processes data in the cloud will need to ensure that its cloud provider offer sufficient guarantees to implement appropriate technical and organizational safeguards that meet the regulation.

Which brings me to this question: Are you, as a cloud service provider, GDPR-compliant? While some cloud providers have said that they're working toward that – for example, public cloud leader Amazon Web Services has said it will meet the EU deadline -- it's the end-user business that will be responsible for ensuring its own compliance.

Given that, practical GDPR planning begins with finding out who does what to the organization’s data and when it leaves the organization’s jurisdiction. Government, privacy bodies and business organizations will demand that boards and CIOs take a risk-managed approach to policy in which, for instance, companies design application sanctioning and auditing processes; establish notification processes to alert stakeholders and affected clients about data breaches; and build data security into products and services.

These policy and enforcement frameworks are fine in principle but will add massively to CIOs’ IT management and compliance workload. The biggest practical contribution to the GDPR will be required at a vital but unseen level: through CIOs’ ability to gain visibility, control and compliance of data and underlying network operations as personal data sets are moved through multiple value-added processes.

Relevant organizations will need to clearly define sanctioned and unsanctioned cloud and SaaS applications, as well as permissible behaviors within them, and put tools in place to control their access and usage.

This also extends to data providers, such as data backup services, which need to  implement processes and systems to extend their customers' capabilities when it comes to some GDPR requirements. Within the regulations, every consumer will have “easier access to any data saved about them” and also the “right to be forgotten,” where data can and should be deleted once it's no longer necessary. Providers need to extend their services to simplify how customers can both visualize this end-user data, then easily remove it when it's required.