On May 25, the General Data Protection Regulation (GDPR) came into force. The RGPD affects all company businesses, but also Cloud subcontractors who host such information. This European text requires many processes to be reviewed. The RGPD is here! Two years after its validation, this text comprising almost 100 articles presents several special features.
- Firstly, this is one of the few European regulations that has given the entities concerned two years to prepare for compliance, but in reality, many companies have only been working on it for a few months, or even a few weeks!
- However, the second feature of the RGPD is very important: it concerns all companies and administrations. Regardless of their country of origin or activity: as soon as they collect or process personal data from European citizens, they must comply with the RGPD.
The RGPD therefore has an impact on the cloud, since this regulation focuses on the "processing" of data. For the legislator, "processing" covers all operations carried out (opening, modifying, downloading, copying...) or not using automated processes and applied to personal data or sets of data.
The company's DPO (Data Protection Officer) must therefore ask (and verify) CIOs or IT managers to put in place procedures to respect the rights of European citizens, in particular those linked to portability and erasure.
Shadow IT: the bête noire of CIOs
But before implementing these procedures, it is essential to carry out an exhaustive mapping of the Information System. This includes not only internal infrastructure, but also the cloud. All applications handling personal data must be listed. A real headache with Shadow IT on the increase!
A recent study by CESIN (Club des Experts de la Sécurité de l'Information et du Numérique) reveals that, on average, 1,700 CloudApps are actually in use per company. Yet many CIOs and IT managers think that there are only 30 to 40 in their company! The most widely used are Workplace by Facebook and Google Drive.
It is therefore essential to use data discovery solutions to locate all the databases and browse the data lakes.
The next step, according to some, is to anonymize or mask the data. But this technique is not enough. Replacing first and last names with characters such as * or # does not guarantee real confidentiality. As the G29 (a grouping of European data protection authorities) has pointed out, correlating data always makes it possible to identify a person.
RGPD & Cloud: Co-responsibility
Encryption will therefore become widespread not only for information exchange, but also for the cloud. But here too, companies may come up against a technical limit.
The time required to encrypt and decrypt a data lake can be prohibitive if it concerns the software layer. This requires far more resources than encrypting a hard disk. It is therefore essential to "prioritize" data and concentrate on personal data (but also on confidential information, which must also be protected....).
Then there's access to data in the cloud. As always, the finger is pointed at the human being. Presented as the weak link, they can be the source of errors or malicious acts. As with cybersecurity in general, the RGPD should be an opportunity to raise employee awareness of good practices. This digital hygiene (RGPD) will be beneficial to all companies using the cloud, as it will strengthen their long-term viability.
At the same time, companies need to implement solutions that enable them to control and identify every person connecting to a cloud service and handling private data.
Full reporting must be available, so that any data leakage can be traced. In this case, the company will have 72 hours to notify the CNIL and prepare a complete file (including the origin of the security breach). That's why it's so important to keep your data processing register up to date. In particular, it makes it possible to record the implementation of processing operations, and thus to trace modifications, evolutions and accesses.
Company and subcontractors
Finally, the RGPD imposes "co-responsibility" between the company and its processors. The latter must ensure that data has been collected with users' "explicit" consent. They must also implement security processes and help their customers to comply with this regulation.
But according to Article 26 of the RGPD, the company director remains responsible for the processing applied to personal data. He must therefore ensure the guarantees provided by his subcontractors in terms of data protection. It is advisable to have a lawyer check your subcontractors' contracts with regard to the RGPD, but generally speaking, on their commitments concerning the safeguarding of your files.
Ultimately, the RGPD obliges all data processing (Cloud) players to work hand in hand to improve the security of personal data. Above all, don't look at the RGPD solely through the prism of sanctions: "privacy is good for business" is the leitmotif of the Anglo-Saxons. The French should take a leaf out of their book!
