GDPR Compliance in the Cloud

With the upcoming onset of the GDPR, many companies are seeking to leverage their cloud services for GDPR compliance. The Microsoft Office Modern Workplace episode, ‘GDPR: What You Need to Know’ includes outlines to make this process painless.  Companies want to ensure that those cloud services in use are compliant.  The GDPR places a higher burden on companies storing data on Europeans, and for many businesses, this data resides in the cloud.  Some important GDPR compliance considerations include building support for the consent requirement, rights to erasure and data portability, and 72-hour breach notification, among other GDPR requirements.

The good news is that cloud providers have not been standing still and they can be a valuable partner for a company’s compliance effort.  The decision to utilize the services of cloud providers was likely made not only for the features they provide but because cloud providers can often implement security controls and procedures that would be cost prohibitive for a company to do on its own.  Many cloud providers are actively considering how to comply with GDPR, and some have already adopted GDPR compliant practices.

Today, cloud services are not only present in organizations, they are often ubiquitous.  One study found that European companies are using over 600 cloud services on average and it is likely that U.S. companies use a similar number of cloud services.  So how do companies with such a large cloud presence comply with GDPR?

Assign compliance responsibility

The first step in the GDPR compliance effort is to identify which person or group will be responsible for ensuring compliance with GDPR.  This may be different groups depending on the organizational culture or the business use of personal information.

According to Karen Lawrence Öqvist, CEO at Privasee, the group responsible may include legal, compliance, or even IT.  IT is often the driver in companies where collecting data is not core to the business while legal often has responsibility when there is an emphasis on the collection of personal information.   No matter which person or group is chosen, someone must be accountable for bringing the company into compliance.

Identify cloud providers

The individual or group responsible for compliance must then determine which cloud providers are in use and what data is stored or processed on these cloud services.  It can be tempting to reduce the scope of the process only to those that house data on Europeans, but this might be a short-term perspective.  Companies must be careful not to limit their scalability and agility by staying on non-compliant systems because those systems may need to house such data in the future as the company evolves.

GDPR compliance can also be an opportunity to build a better relationship with customers.  According to Brendon Lynch, Chief Privacy Officer at Microsoft, the increased control and transparency mandated by the GDPR can be a way to build and maintain more trust with customers.  This is a benefit not only for European customers, but also those around the globe.

Once cloud providers have been identified, consider ways to consolidate services to reduce ease management and compliance with GDPR.  Take the time to identify redundancies and standardize those services across the enterprise with a single provider.  Tiered pricing models and bundling of services can reduce cost, but the primary driver for these changes is reduced complexity of data flows to and from cloud providers.  Do not limit this analysis to cloud providers only.  Consider also which activities are performed in-house and whether moving those operations to a GDPR compliant cloud provider would increase efficiencies or lower costs.

Gap analysis

Next, conduct a gap analysis of each cloud vendor.  Vendor management or compliance groups may send out questionnaires to assess whether cloud providers have the capability to meet GDPR requirements and, if not, whether they have a reasonable plan on how to implement these capabilities before the May 25, 2018, deadline.

Mainstream cloud vendors have been some of the most proactive in implementing methods to secure data in their cloud service offerings and to do so in a way that is compliant with the GDPR.  For example, in the recent Microsoft Office Modern Workplace episode, GDPR: What You Need to Know, the Office 365 prebuilt filters were demonstrated.  These filters are already in place for personal data types such as those used by European countries.  Administrators can use filters to define a policy that will automatically identify data in email, SharePoint, and other Office cloud services, and then take specific compliance actions.

Conduct privacy impact assessments

Privacy impact assessments should be performed on high-risk assets such as HR or financial data to ensure that this information is adequately protected with whichever cloud providers are storing or processing the data.  Privacy impact assessments analyze what personal information the company is collecting, why it is collected, and how it is stored, used, and protected.

Document and train on procedures

It is not enough for the cloud provider to have the capability to comply.  The company must be able to use these capabilities in their compliance strategy.  For example, the option to remove or transfer personal data may be possible on a cloud system, but the company must document how to utilize these features if needed.

Persons or departments in the company must then be trained on how to perform these actions so that they will be ready and able when customers make data requests.  Training alone is not sufficient to ensure that staff will meet the GDPR’s stringent 72 hour notification period.  Here, simulation can provide more reliable assurance that incident response activities can be performed in compliance with the GDPR.  Simulations should have incident response teams and cloud service providers work together to effectively investigating a data breach and gather information for notification.

Wrapping it up

Companies who wish to comply with the GDPR by the May 25, 2018 deadline are trying to understand where their data is, particularly that of Europeans, and how that data is handled.  Cloud providers can be a great partner in this effort and companies should embrace their cloud providers in the effort to become compliant.  Consider your cloud provider a core partner in your compliance rather than a liability and utilize what they have to offer in order to meet the GDPR requirements.

Special thanks to Microsoft Office, the sponsor of this article.  As always, all thoughts and opinions are my own.

Important considerations for your business and GDPR

The General Data Protection Regulation (GDPR) is the latest in a host of rules designed to protect privacy.  It is significant because it affects companies that do business in Europe or collect data on Europeans.  GDPR’s wide-ranging scope ranks it right at the top of significant regulations, sitting beside well-known requirements such as HIPAA and PCI.

Your business may be doing quite a few things required by GDPR already because GDPR has similar goals to other regulations.  While HIPAA is designed to protect patient information in covered entities and business associates and PCI to protect credit card information from card processing environments, GDPR aims to protect the personal information of Europeans.  This overlap of objectives results in a considerable similarity in GDPR specifications to those of other regulations.  However, GDPR does introduce some new requirements that companies need to understand.

The upcoming Microsoft Office Modern Workplace episode “GDPR: What You Need to Know” incorporates the expertise of Brendon Lynch, Chief Privacy Officer at Microsoft, and Karen Lawrence Öqvist, CEO at Privasee on how to prepare for GDPR.  Some fundamental aspects of GDPR that are distinct from other regulations include the consent requirement, rights to erasure and data portability, accelerated breach notification, and the requirement for a data protection officer.

Consent requirement

GDPR mandates that companies obtain consent from individuals before storing their information.  Consent must be specifically for how the data will be used.  Organizations must first spell out how they will use an individual’s data and then obtain the approval for that use.  Data use is then limited to only what the person allowed, and the organization must keep records on how information is used and processed.  This information must be produced upon request by supervisory authorities, a local governing body that the business has associated with for purposes of compliance and reporting.

Rights to erasure and data portability

Under GDPR, individuals have the right to erasure and the right to data portability.  Companies must remove the data they have on a person if requested to by the individual, and they must facilitate the transfer of a person’s information from their systems to another system using an open standard electronic format that is in common use.

Accelerated breach notification

Breach notification timelines are greatly accelerated in GDPR.  The supervisory authority must be notified within 72 hours of the breach.  This notification must include the relevant details of the breach including the number of victims impacted, and personal records disclosed, likely consequences to victims due to the breach, how the company is handling the breach, and what the company will do to mitigate possible adverse effects of the breach.  This accelerated schedule will require businesses to have a much more robust incident response and investigative procedures as well as effective coordination of incident response, legal, investigative, and executive teams.

Data protection officer

Much like HIPAA’s privacy officer requirement, GDPR requires public authorities and organizations to have a data protection officer when their core business involves large scale processing or monitoring of individuals.  The data protection officer must be a senior person in the organization who reports to executive management.  They must have the freedom to operate independently from the rest of the company and be provided with adequate resources to perform their role.

Next steps

We live in an incredibly globalized world, one where businesses of all sizes work with customers spread around the world.  GDPR has a wide-ranging impact on these companies, so it is important to understand its requirements.  In addition to what has been presented here, the Microsoft Office Modern Workplace episode on GDPR provides some excellent guidance.  Begin the process now to position your company to operate and thrive under GDPR. The deadline for companies to comply with this regulation is May 25, 2018.

Special thanks to Microsoft Office, the sponsor of this article.  As always, all thoughts and opinions are my own.

Key security strategies for data breach prevention

If we have learned anything over the last few years about data breaches, it is that they are likely to happen.  However, data breach frequency can be reduced and its impact minimized with some key strategies.

Both response and prevention efforts are greatly impacted by organizational culture.  Organizational culture is formed over years as certain values and behaviors are reinforced or discouraged through a series of successes and failures.  Security is seen as important and vital to organizational success in positive security cultures while it is ignored or even discouraged in negative security cultures.

You can reinforce an existing security culture or bolster a lagging one with some of the same strategies.  The first strategy is to make the topic of security a common one.  Discuss risks in meetings and common decision-making situations.  Ensure that managers and knowledge workers are on the same page with risk, knowing how much risk is acceptable and how their decisions affect risk.  Employees also need to understand what it is they are trying to protect, such as customer information, trade secrets, or strategic business information.

Security awareness training can provide the skills and knowledge necessary to prevent data breaches and respond to those that happen.  It is also a crucial component of a security culture.  Security awareness training should be consistent and enacted for employees at all levels of the organization so that they can accurately recognize threats and understand their role in the response effort.  Since a large percentage of attacks target the human element in organizations, this training can equip employees with the skills to avoid such attacks.  Awareness training prepares employees for their role in incident response by teaching them about incident indicators and how to properly report an incident.

Incident response planning is also necessary to ensure that the response is performed correctly and in a timely manner.  An effective response can greatly minimize damages to both the organization and its customers.  Incident response plans should be regularly reviewed and updated, and those involved should participate in drills and exercises so that the response activities come naturally to them.

Leading all these efforts is a Chief Security Officer (CSO) or Chief Information Security Officer (CISO).  This individual should have the authority to interface at the highest levels of the organization to ensure that preparation and protections are placed appropriately throughout the organization.  Responsibility for security lies not only in IT but in the entire organization, from senior management to the factory floor; remote office workers to branch office managers; and from interns to HR.  They will also need a budget to perform these activities.

Choose your CSO or CISO wisely because they will be a driving force behind security initiatives.  They will need to be an effective communicator and leader with good vision and planning skills.  In a recent Modern Workplace webinar on cyber intelligence and data breaches, Vanessa Pegueros, DocuSign CISO, said that the CISO should have breach experience.  Breach situations are often high-stress, but the lessons learned are invaluable for a security leader.

Put the right strategies in place to bring about cultural change, increase awareness, refine and communicate incident response plans.  Then, equip a CSO or CISO with the authority, responsibility, and budget to make it all happen.

Special thanks to Microsoft Office, the sponsor of this article.  As always, all thoughts and opinions are my own.

Office 12

I was given a copy of Office 12 to try the other day. I plan to
compare it to Open Office.

The update on Open Office so far goes like this. Draw is not
impressive at all. I enjoyed using Writer and Calc. They feel almost
exactly like Word and Excel. I liked the ability to save documents as
PDF. One thing I find off is that there is a media player built into
the program. Why would I need a media player. Does it take so long
for me to run formulas that I will want to watch a movie?

Here is a few things on Office 12. Instead of the the older menu
interface Office 12 uses a new interface based on tabs that organize
sets of functions under headings such as "Write," "Page Layout," and
"Review". It will take some getting used to but this might turn out
to be more intuitive. Everything is XML based but the XML schema that
is used just works with MS apps. I really do not have much to say
yet because I have not had time with it yet. I will post updates.