Is your business ready for GDPR?
With discussions over the General Data Protection Regulation (GDPR) in full swing, companies all over the European Union should be preparing for stricter rules governing the protection of personal data. But as technology advances at a rapid pace, more and more companies are storing and processing their sensitive information in the cloud and on mobile devices—where security becomes a bit trickier.
The GDPR could become a reality as early as this year, and businesses must be prepared to abide by the new regulations just as the nature of work is changing. It’s as good a time as any to begin preparing for the switch.
The EU’s data protection reform has been a long time coming. Technology has become integral to business operations, and though the Data Protection Directive was just passed in 2012, it was already found to be in need of significant overhaul. There are some notable changes under consideration:
- The GDPR will apply to all businesses that collect data on EU residents, regardless of the business’ location.
- The definition of personal data has not changed, per se, and any organisation collecting identifying information is still subject to compliance. But the big headline is that “pseudonymous data”— which is often used for R&D purposes—is now also subject to regulation. This means that even if information gathered does not directly identify a subject, it must now be as carefully guarded as personally identifiable information.
- Genetic data (even if anonymized) and data about criminal convictions are being added to the category of “sensitive personal data,” which currently includes data that reveals race, political opinions, religious beliefs, trade union membership, or health information. Sensitive personal data requires more protection than standard personal data.
- Processing companies—such as third-party vendors or technology service providers—are now subject to regulation and privacy compliance.
What does this mean for your business?
The new regulations are increasing accountability for keeping corporate and client data secure, and they’re restricting the way information is shared. By the same token, the tightened regulations aim to decrease the incidence of leaks and data breaches and improve the privacy of anyone whose personal information is collected for any reason.
Considering the fact that these changes are coming at a time when more and more professionals are syncing—and exposing—data on their mobile devices, negotiating privacy and security when it comes to the cloud and its vulnerabilities isn’t always clear-cut. True, if BYOD and file sync-and-share solutions are already being used in your organization, you’ve probably already given thought to the fact that the lack of default on-device encryption is a major problem. But if your business is already using the cloud and you haven’t yet addressed this security gap, the GDPR provides an opportunity to check on your security measures and bolster them, making sure that files are staying secure and impenetrable wherever they’re being stored, shared, or synced.
Frankly, even if your business isn’t using the cloud officially, chances are your employees already are—and that’s a problem. In the UK, 42 percent of office workers said they would use or purchase unapproved cloud services to get their work done, and 36 percent admitted to already having done so. The number is even higher for knowledge workers like engineers, doctors, architects, and lawyers: 60 percent of these said they would use unapproved cloud services without the IT department’s permission.
In absence of an approved SaaS file storage solution, employees are bound to find workarounds. But if your business isn’t sanctioning cloud usage, it’s not controlling its security either. Popular cloud storage providers do not provide encryption protection once files are synced to mobile devices; instead, they’re only protecting the data at rest on their servers and in transit moving between your device and their cloud. So when an attorney syncs confidential client information from his Dropbox account to his phone to prepare for court, or a researcher syncs scores of genetic records to his tablet to be able to work from home, that information is unsecured and free for the taking should that tablet or smartphone get lost or stolen. More than 750,000 phones get stolen in the UK each year. Add to that the theft of tablets, flash drives, and laptops as well as inadvertent loss, and the astonishing number indicates that there’s an awful lot of unprotected information floating around out there.
So no matter how secure your business’ network and firewalls seem to be, the truth is that corporate data just isn’t being kept on the premises anymore. Executives must respond to that, now more than ever, as the GDPR prepares to clamp down.
What can you do to protect your data in the cloud?
- Get on board with the cloud. If your company is not already using the cloud, adopt it. You’ll want to eliminate any unapproved workarounds from your employees’ workflows and make sure everyone’s on the same (secure) page.
- Encrypt your data. The number-one way to protect your company’s data in the cloud is to encrypt it. While most common cloud providers—like Dropbox or Google Drive—provide robust encryption on their network, it dissipates as soon as a file leaves, because it’s not protecting the data itself. It’s therefore wise to add an additional layer of protection with file-level encryption, which encrypts files before they reach the cloud. This way, wherever they’re stored, synced, or shared, they’ll remain encrypted, appearing indecipherable to everyone but the authorized user—including your cloud storage provider.
- Prioritize seamlessness. When implementing security measures, keep in mind that employees want the path of least resistance. Security works best if you can’t tell it’s there. For example, sharing secure files in Dropbox should look the same as sharing regular Dropbox files; sending secure attachments shouldn’t require clunky portals; and accessing corporate files from home shouldn’t demand a difficult VPN. Finding security solutions that incorporate seamlessly into existing workflows is critical to getting your employees to use them.
- Keep your passwords strong. It may seem obvious, but passwords are still the gateway to corporate files, and they’re still the first line of defense. Make sure your employees have strong, unique passwords that get changed often.
As the GDPR changes loom, it’s imperative to start securing files, implementing strong security safeguards, and creating a smooth transition for your workforce.
Asaf Cidon is CEO and co-founder of Sookasa, a cloud security and encryption company that enables safe adoption of popular cloud services such as Dropbox and Google Drive to store sensitive information.