Is your business ready for GDPR?
With discussions over the General Data Protection Regulation (GDPR) in full swing, companies all over the European Union should be preparing for stricter rules governing the protection of personal data. But as technology advances at a rapid pace, more and more companies are storing and processing their sensitive information in the cloud and on mobile devices—where security becomes a bit trickier.
The GDPR could become a reality as early as this year, and businesses must be prepared to abide by the new regulations just as the nature of work is changing. It’s as good a time as any to begin preparing for the switch.
The EU’s data protection reform has been a long time coming. Technology has become integral to business operations, and though the Data Protection Directive was just passed in 2012, it was already found to be in need of significant overhaul. There are some notable changes under consideration:
- The GDPR will apply to all businesses that collect data on EU residents, regardless of the business’ location.
- The definition of personal data has not changed, per se, and any organisation collecting identifying information is still subject to compliance. But the big headline is that “pseudonymous data”— which is often used for R&D purposes—is now also subject to regulation. This means that even if information gathered does not directly identify a subject, it must now be as carefully guarded as personally identifiable information.
- Genetic data (even if anonymized) and data about criminal convictions are being added to the category of “sensitive personal data,” which currently includes data that reveals race, political opinions, religious beliefs, trade union membership, or health information. Sensitive personal data requires more protection than standard personal data.
- Processing companies—such as third-party vendors or technology service providers—are now subject to regulation and privacy compliance.
What does this mean for your business?
The new regulations are increasing accountability for keeping corporate and client data secure, and they’re restricting the way information is shared. By the same token, the tightened regulations aim to decrease the incidence of leaks and data breaches and improve the privacy of anyone whose personal information is collected for any reason.
Considering the fact that these changes are coming at a time when more and more professionals are syncing—and exposing—data on their mobile devices, negotiating privacy and security when it comes to the cloud and its vulnerabilities isn’t always clear-cut. True, if BYOD and file sync-and-share solutions are already being used in your organization, you’ve probably already given thought to the fact that the lack of default on-device encryption is a major problem. But if your business is already using the cloud and you haven’t yet addressed this security gap, the GDPR provides an opportunity to check on your security measures and bolster them, making sure that files are staying secure and impenetrable wherever they’re being stored, shared, or synced.
Frankly, even if your business isn’t using the cloud officially, chances are your employees already are—and that’s a problem. In the UK, 42 percent of office workers said they would use or purchase unapproved cloud services to get their work done, and 36 percent admitted to already having done so. The number is even higher for knowledge workers like engineers, doctors, architects, and lawyers: 60 percent of these said they would use unapproved cloud services without the IT department’s permission.
In absence of an approved SaaS file storage solution, employees are bound to find workarounds. But if your business isn’t sanctioning cloud usage, it’s not controlling its security either. Popular cloud storage providers do not provide encryption protection once files are synced to mobile devices; instead, they’re only protecting the data at rest on their servers and in transit moving between your device and their cloud. So when an attorney syncs confidential client information from his Dropbox account to his phone to prepare for court, or a researcher syncs scores of genetic records to his tablet to be able to work from home, that information is unsecured and free for the taking should that tablet or smartphone get lost or stolen. More than 750,000 phones get stolen in the UK each year. Add to that the theft of tablets, flash drives, and laptops as well as inadvertent loss, and the astonishing number indicates that there’s an awful lot of unprotected information floating around out there.
So no matter how secure your business’ network and firewalls seem to be, the truth is that corporate data just isn’t being kept on the premises anymore. Executives must respond to that, now more than ever, as the GDPR prepares to clamp down.
What can you do to protect your data in the cloud?
- Get on board with the cloud. If your company is not already using the cloud, adopt it. You’ll want to eliminate any unapproved workarounds from your employees’ workflows and make sure everyone’s on the same (secure) page.
- Encrypt your data. The number-one way to protect your company’s data in the cloud is to encrypt it. While most common cloud providers—like Dropbox or Google Drive—provide robust encryption on their network, it dissipates as soon as a file leaves, because it’s not protecting the data itself. It’s therefore wise to add an additional layer of protection with file-level encryption, which encrypts files before they reach the cloud. This way, wherever they’re stored, synced, or shared, they’ll remain encrypted, appearing indecipherable to everyone but the authorized user—including your cloud storage provider.
- Prioritize seamlessness. When implementing security measures, keep in mind that employees want the path of least resistance. Security works best if you can’t tell it’s there. For example, sharing secure files in Dropbox should look the same as sharing regular Dropbox files; sending secure attachments shouldn’t require clunky portals; and accessing corporate files from home shouldn’t demand a difficult VPN. Finding security solutions that incorporate seamlessly into existing workflows is critical to getting your employees to use them.
- Keep your passwords strong. It may seem obvious, but passwords are still the gateway to corporate files, and they’re still the first line of defense. Make sure your employees have strong, unique passwords that get changed often.
As the GDPR changes loom, it’s imperative to start securing files, implementing strong security safeguards, and creating a smooth transition for your workforce.
Asaf Cidon is CEO and co-founder of Sookasa, a cloud security and encryption company that enables safe adoption of popular cloud services such as Dropbox and Google Drive to store sensitive information.
GfK and VMware: Innovating together on hybrid cloud
GfK has been the global leader in data and analytics for more than 85 years, supplying its clients with optimised decision inputs.
In its capacity as a strategic and technical partner, VMware has been walking GfK along its digital transformation path for over a decade.
“We are a demanding and singularly dynamic customer, which is why a close partnership with VMware is integral to the success of everyone involved,” said Joerg Hesselink, Global Head of Infrastructure, GfK IT Services.
Four years ago, the Nuremberg-based researcher expanded its on-premises infrastructure by introducing VMware vRealize Automation. In doing so, it laid a solid foundation, resulting in a self-service hybrid-cloud environment.
By expanding on the basis of VMware Cloud on AWS and VMware Cloud Foundation with vRealize Cloud Management, GfK has given itself a secure infrastructure and reliable operations by efficiently operating processes, policies, people and tools in both private and public cloud environments.
One important step for GfK involved migrating from multiple cloud providers to just a single one. The team chose VMware.
“VMware is the market leader for on-premises virtualisation and hybrid-cloud solutions, so it was only logical to tackle the next project for the future together,” says Hesselink.
Migration to the VMware-based environment was integrated into existing hardware simply and smoothly in April 2020. Going forward, GfK’s new hybrid cloud model will establish a harmonised core system complete with VMware Cloud on AWS, VMware Cloud Foundation with vRealize Cloud Management and a volume rising from an initial 500 VMs to a total of 4,000 VMs.
“We are modernising, protecting and scaling our applications with the world’s leading hybrid cloud solution: VMware Cloud on AWS, following VMware on Google Cloud Platform,” adds Hesselink.
The hybrid cloud-based infrastructure also empowers GfK to respond to new and future projects with astonishing agility: Resources can now be shifted quickly and easily from the private to the public cloud – without modifying the nature of interaction with the environment.
The gfknewron project is a good example – the company’s latest AI-powered product is based exclusively on public cloud technology. The consistency guaranteed by VMware Cloud on AWS eases the burden on both regular staff and the IT team. Better still, since the teams are already familiar with the VMware environment, the learning curve for upskilling is short.
One very important factor for the GfK was that VMware Cloud on AWS constituted an investment in future-proof technology that will stay relevant.
“The new cloud-based infrastructure comprising VMware Cloud on AWS and VMware Cloud Foundation forges a successful link between on-premises and cloud-based solutions,” says Hesselink. “That in turn enables GfK to efficiently develop its own modern applications and solutions.
“In market research, everything is data-driven. So, we need the best technological basis to efficiently process large volumes of data and consistently distill them into logical insights that genuinely benefit the client.
“We transform data and information into actionable knowledge that serves as a sustainable driver of business growth. VMware Cloud on AWS is an investment in a platform that helps us be well prepared for whatever the future may hold.”