As the GDPR arrives – and as 32% of businesses using cloud services report losing data – the need to prioritise what people so often call cybersecurity and what we call cloud security and identity access has become even more compelling. Have you made any plans yet? Do you already have a budget and/or dedicated resources earmarked for GDPR compliance? If you do, you may be in the minority.
While some organisations already have an in-house data protection or information security officer, many more do not. Do you, for example, currently maintain an accurate and up-to-date information asset register, and are you confident you have strong technical and procedural controls over all data? Your cloud security and identity access policies must not only be strong enough to count, but also need to be monitored, enforced and refreshed on an ongoing basis. And don’t forget, if a data breach occurs, you will not only have to notify the relevant data protection authorities within 72 hours – if the leaked data is likely to impact on the rights of the people involved, you must also notify the individuals.
Does this all seem a bit overwhelming? Well, it shouldn’t. Data protection and cloud security are almost certainly not your core business, nor should they be, even though they are assuming much greater importance. But the knowledge, expertise and systems to make your plans and ensure GDPR compliance are out there, from companies like EveryCloud. And as our name suggests, few if any other providers can do what we do for every cloud.
The first step is discovery: to understand the risks you face, in terms of the data you hold or process and data loss prevention, that could result in business disruption, reputational damage and regulatory penalties; to reveal obstacles to compliance and identify ways to resolve or remove those obstacles. Nobody claims the process is always a fast and easy one – but at the same time, nobody says you have to do all the heavy lifting yourself. So, will two years be enough for you to plan and comply with the new EU rules? A valuable first step on the road to GDPR compliance is asking yourself some simple questions:
- Do you have all the information that you need to plan effectively – including the true breadth and extent of data storage and data processing services that you access and use via the cloud, and the true extent of ‘shadow IT’ in your organisation?
- Do you know what employee and customer/client personal data you hold, where it is – and how secure it is?
- Do you have documented (and enforced) cloud security, identity access and data loss prevention (DLP) strategies?
- Are there obvious gaps in your data protection strategy – and do you know the fastest and most effective ways to close them?