GDPR: A Reason to Move to the Cloud?
Among the many benefits cloud offers for businesses today, including lower CAPEX and OPEX, it can also help firms to comply with the latest EU regulation, says Gareth Johnson.
Much has been made of the impact the General Data Protection Regulation (GDPR) looks set to have upon businesses come May next year. And with good reason too. But could the advent of the GDPR be a further incentive for businesses to move to the cloud, thereby reducing the risk of data exposure and punitive fines?
In short, yes. By making the switch from on-premise systems to the cloud model or by moving a proportion of your business into the cloud, you can help to spread your IT workload and in turn lower your costs and exposure to risk in the process.
Affecting businesses large and small, the primary aim of the GDPR is to usher in a new, improved playing field when it comes to the data protection of EU citizens. Those handling personal data will need to adhere or face fines of up to four percent of their annual turnover or €20 million, depending on whichever is greater.
Of course, many firms are already looking at a cloud-first route when it comes to their future IT strategy. But how do you know if this is something you should consider?
As it stands many businesses will be running legacy IT applications and solutions which have been patched and added to over the years and will almost certainly leave data exposed under the new terms set out by the GDPR. Could you, for instance, identify a breach and notify the data protection authority within 72 hours of finding this?
Cloud makes sense for other reasons too. It can turn IT into a strategic asset for SMEs and enterprises that don’t have in-house expertise and wish to free up their IT team from what has often been seen as ‘fire-fighting’ mode. Another major bonus of deploying specialist cloud solutions comes in the additional benefits offered when it comes to securing data and being able to manipulate this to business advantage. By utilising an outsourced solutions provider for IT, contracts come with firm SLAs and guarantees such as 99.999% reliability – something most internal IT departments couldn’t even hope to get close to.
In addition, opting for a GDPR compliant cloud solutions provider that can deliver your solutions safely and on-tap will allow you to focus on your core business and could well save you unwanted attention from the regulator too.
But what sort of things should you be looking for? From the outset you should ask any cloud provider if they are already GDPR compliant, are aligning with the industry code on this, and whether they have measures in place to be complaint with this in advance of May 2018? Remember, any business wanting to act as your hosting provider or cloud host has a responsibility towards you too. As a processor of your data, have you checked your contracts as a controller bind the cloud hosting provider (who will be your data processor) .
Consider private cloud solutions for instance. Whereabouts is your would-be provider storing your data and what measures are they taking to secure this? Is your data stored in a secure ISO 27001 military grade UK Data Centre or bunker that meets IL3 construction and security standards? And what residency guarantees do you have when it comes to your data?
There is certainly much for firms to consider when it comes to moving IT assets to the cloud and the qualification behind this must always be based upon strategic thinking that delivers business optimisation and measureable improvements to the bottom line. GDPR further complicates the issue for any company processing personal data and it may well be that your business also needs to appoint a Data Protection Officer if you are operating at the larger end of the scale.
If you’re in any way concerned that you don’t have complete visibility and control over the data you hold or who might be processing it or storing it, then you will certainly struggle to be compliant with the GDPR. Cloud, grounded by the principles discussed above, in conjunction with a full risk assessment by will help get you there. Don’t delay, the clock is ticking.
Do you need strategic guidance and advice around the GDPR and how it affects your business?
CIS offers a full set of services encompassing all aspects of the GDPR. This includes a GDPR Compliance Gap Assessment Tool and full suite of security services including Firewalling and Unified Threat Management, Endpoint Protection, Multi Factor Authentication Services, plus Cloud Hosting and Remote Access Control. We also partner with a CREST approved external security company for testing of Internet-facing IP addresses and URLs.
Once we’ve assessed current processes and policies and established whether they are compliant with the GDPR, we advise on putting changes into practise through either assisted or fully-managed implementation services. For those who need it we also offer a Data Protection Officer as a Service (DPOaaS) to support you through establishing these and if any breach should occur.