GPDR has been on the minds of business owners and IT teams for some time now and, while the legislation and the vast amount of ground it covers is complex enough, for some it doesn’t go far enough on how to handle technologies that businesses now use as part of their everyday operation. Things such as cloud computing, for example.

Almost every business has some exposure to cloud-based apps, from Google Drive to Salesforce, Expensify, Dropbox and We Transfer, and they can really help simplify or add to a business’s performance.

Where it starts to get messy is when individuals within an organisation source and adopt apps without the help or advice of IT. In fact, some even hide them from IT if they haven’t followed what they know to be the proper procurement procedure. Multiply that by tens or even hundreds in the case of major company and you can see how the numbers and IT risks start to spiral.

Shadow IT

A recent Netskope Cloud Report estimated a Europe-wide enterprise could be using up to 608 cloud apps, and some believe even that figure is underestimated. From an IT management perspective, it’s Shadow IT in its worst possible form. Which begs the question: How can a business hope to comply with the GDPR regulations if they don’t have full control of their IT dependencies?

8 Tips to Keep You Compliant

  1. Know where cloud apps are processing and storing data

To do this, you’ll need to know which cloud apps are being used within the business and where they’re hosting the data they collect as part of your data mapping process.

To get an honest response to the question internally, you might need to promote an ‘app amnesty’ - otherwise employees may be fearful of being completely transparent and keep schtum, leave the business open to risk.

Remember, the app vendors headquarters are seldom where the information is housed, and it’s not uncommon for it to be moved around data centres.

  1. Beef up your security to protect personal data from loss, change or unauthorised processing

Once you know which apps are being used, you need to confirm they meet your security standards and the heightened GDPR standards coming down the track to avoid the risk of data loss or breaches.

Anything that falls outside your security standard should be blocked with the necessary firewalls and other IT security measures, or supported with additional controls at your end, but only if they offer a service you really don’t want to be without.

If you’d rather go without the additional work and switch to an app that offers a similar service and adequate security, there are lots of tools out there that allow you to run quick comparisons.

  1. Put data processing agreements in place with your cloud app providers

Now you know which apps the business needs and you’re happy they come with solid security:

  • Circulate the approved list throughout the business and
  • Put data processing agreements in place with your chosen providers to ensure they’re meeting the data privacy protection requirements of the GDPR

Providers that meet the standards and take their data protection obligations seriously shouldn’t be concerned about putting agreements in place. On the flip side, a provider who resists should raise a red flag.  

  1. Only collect data that’s necessary and limit processing ‘special data’

For many companies, it has been a case of ‘more is more’ when it comes to collecting personal information on customers. The school of thought has been that you never knew when it might come in handy, and if there was no problem with asking for it, you might as well gather and process it.

That’s no longer the case, and the GDRP has strict limitations around what you can ask for and process, proving consent and legitimate use.

It means no more blanket emails, for instance, and with similarly stringent rules around profiling, there’s a question around how much room it leaves in the middle.  

To help overcome the challenges here, businesses who use apps as part of their everyday operation are being encouraged to specify in data processing agreements that only the personal data needed to perform the apps function are collected and nothing more.

Going further, there are limits on the collection of special data defined as personally revealing information, such as someone’s race, religion or political persuasion. Ask if you really need this information, and if the answer is no, begin the process of minimisation. The less data you have, the less chance of it being non-compliant.

  1. Don’t allow cloud apps to use personal data for other purposes

Understanding how app providers use the information you store is paramount for data protection. To keep the information secure, ensure data processing agreements are in place and make sure due diligence is carried out on data ownership.

You should be looking for terms and conditions to state clearly that the customer owns the data and that they don’t share data with third parties.

  1. Make sure you can delete the data at any time

As a rule, any app used by the business should guarantee immediate deletion of any data stored, when the contract ends.  The GDPR is primarily focused on the rights of the customer and as such, their ‘right to be forgotten’ is high on the new legislation’s agenda.

That means businesses that collect information must also be able to remove it on request, erasing it permanently from every data repository without risk of it being recalled by anyone, ever again.

In the case of a data request, you should also be able to retrieve any personal data you have regarding an individual, and share it in a readable format, within a reasonable time. That means having the right IT systems in place to facilitate this.

  1. Make your IT policies all-inclusive

As more businesses go mobile and use remote devices, information has never been more fluid or open to risk.

To keep on top of that, it’s important that IT policies take in every element of your IT infrastructure. So, whether they’re using a desktop on the office network, working from home on a laptop, or working on the fly via their mobile, the same robust security measures should be in place to keep the business and the customer protected. That means, for starters, encryption of all devices capable of accessing company data, not just the files themselves, and further measures such as anonymization or tokenisation.

  1. Get expert help

Optimising cloud services is something every business should seek expert advice on to ensure the right software is being used and the licensing is managed well. That was solid advice before the GDPR, but it’s an essential sense-check for any business ahead of the May 2018 deadline.

Cloud computing has raised more than a few questions in recent years about data management and ownership, and it’s likely to get its fair share of the spotlight when the legislation kicks in.  People often fear what they don’t understand, and as a relatively new technology with a few blurred edges, it could be a service area that compliance looks to exude more control over.

Pebble.it offer expert advice on all things cloud-servicing. We’re an authorised software reseller too. So, if you’re currently using a cloud-based service that might not meet your future GDPR requirements, we can provide advice on alternative software and manage the licensing.

We’ve a wealth of knowledge on the subject and work with clients to ensure they’re smart with their budget, and can look for opportunities to save you money on your current spend, if that’s something you’re keen to do.

As certified GDPR experts, pebble.it can help you meet GDPR compliance across your organisation, assessing what you have and what you need to do to avoid the risk of regulatory fines.

Discover the steps that will put you on the road towards compliance and how we can help you get there by downloading our GDPR-readiness checklist:

GDPR_checklist_download_offer_Pebble_IT

  • Email