Thinking about moving applications to the cloud? If you are – and what business isn’t – have you considered the impact of the EU General Data Protection Regulation (GDPR) on those plans?
At McAfee, we believe GDPR is an opportunity for security transformation – an opportunity to break a compliance-driven security approach and move to a secure- and privacy-by-design strategy.
The GDPR breaks from previous compliance schemes and, instead of dictating a checklist of security technology controls, requires organisations to develop long-lasting capabilities. As such, it presents an opportunity to review your comprehensive data and security strategy and build resilience rather than checklists. We believe that GDPR presents an opportunity for security to be seen as an enabler for business, and particularly an enabler to securely adopt cloud services.
Whether you are moving legacy applications to public cloud, adopting cloud storage, or consuming cloud-delivered business applications such as Office 365, you must consider the impact of GDPR specifically, and an opportunity to review or develop a cloud security strategy more broadly.
At McAfee, we want your business to say yes to cloud adoption, so here are some of the top questions and considerations for you to have an informed conversation with your cloud service provider about GDPR and overall security readiness:
Having strong and transparent security policies is the first step. In many cases, GDPR requires the appointment of a Data Protection Officer (DPO) to oversee the programme. Also ask to have a conversation with the DPO at your cloud provider.
How do you use the data collected?
Providers have a responsibility to disclose to you how they use, if appropriate, the data collected by their service as well as how they protect the information. Many organisations use collected data for analytics or other legitimate purposes. However, those processes should not create additional risk for you.
What security frameworks, standards or certifications do you follow or have you achieved for your service?
Several industry guides and processes exist that provide a standardised set of requirements and controls for protecting cloud services. FedRAMP, for example, is a comprehensive process to authorise cloud services for the US government but the process is based on NIST and could be adopted more broadly. Internationally there is ISO27002, for which the Cloud Security Alliance provides additional guides. Cloud providers should use one of the available frameworks to assess and continuously monitor maturity.
Can you identify a data breach and respond?
Statistically, over half of all data breaches are detected by external organisations. Given that GDPR requires 72-hour notification to the relevant supervisory authority from when you, the organisation, became aware of it, it’s critical to possess the capability to identify potential data breaches and have a rehearsed process with which to respond. Ask your cloud provider if it has an SOC or a CSIRT, either in house or as a managed service, with those abilities.
Where do you store and process the data that is collected?
Data residency is probably the number one concern when it comes to cloud services and preparation for the GDPR. Does your cloud provider have data centres in the EU or only in the US? Where does it store and process data? Is data moved from the EU to the US? These are just some of the concerns in this area but they can be resolved with proper data-at-rest encryption, access control and key management.
The above are all considerations when it comes to the GDPR and cloud service providers, although they’re not an exhaustive list. Hopefully this will help make you a more informed consumer of these services and start you on the way towards GDPR readiness. More importantly, these approaches will make for a safer business journey to the cloud.
The information provided on this GDPR page is our informed interpretation of the EU General Data Protection Regulation, and is for information purposes only and it does not constitute legal advice or advice on how to achieve operational privacy and security. It is not incorporated into any contract and does not commit promise or create any legal obligation to deliver any code, result, material, or functionality. Furthermore, the information provided herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. If you require legal advice on the requirements of the General Data Protection Regulation, or any other law, or advice on the extent to which McAfee technologies can assist you to achieve compliance with the Regulation or any other law, you are advised to consult a suitably qualified legal professional. If you require advice on the nature of the technical and organizational measures that are required to deliver operational privacy and security in your organization, you should consult a suitably qualified privacy professional. No liability is accepted to any party for any harms or losses suffered in reliance on the contents of this publication.