The complexities of cloud data compliance

With every passing year, cybersecurity is making its way further to the top of the CIO’s priority list.

And not just the concern of large corporations, the digital integrity of an enterprise is an issue that now keeps the leaders of small and medium-sized businesses alike up at night.

As more companies migrate to the cloud with mission-critical enterprise operations in tow, the threats to data, finances, operations, and reputations as a result of being compromised continue to multiply. But it’s not just the company itself that stands to fall victim; protecting the privacy of consumer data is also the data-holders responsibility.

According to the EU statistics agency Eurostat, 41.9 percent of UK enterprises are now on the cloud— more than France, Germany, Italy, and Spain— whether for file storage, cloud-based email or, of course, fleets of office software.

But as businesses increasingly turn cloudwards, they will also need to navigate an ever more complex set of guidelines in order to remain compliant with data regulations. For cloud users, compliance is expected to become increasingly complicated as businesses move forward.

Coming into the force last year, the EU’s General Data Protection Regulation (GDPR) has already cost Google $57m in France this year. But it’s not only GDPR that CIOs in Europe have to worry about— there’s also the EU privacy directive, the Privacy and Electronic Communications Regulations and the UK’s Digital Economy Act of 2017.

Similar regulations being rolled out across the world— California has its own interpretation of GDPR, for example, and other markets are following suit as the data privacy discussion gathers speed. All this has implications on how data is handled within a business’s cloud infrastructure.

Talking to ComputerWeekly, Neil Thacker, CISO at Netskope, said that IT teams need to perform a thorough internal compliance audit to ensure providers and internal processes follow the rules.

“The primary tasks include identifying where and how an organization’s data is being stored and protected,” he said.

GDPR restricts the transfer of a consumer’s data outside of the European Union and, of course, requires the user to consent to its collection, storage and use in first place.

“Geolocation and data sovereignty are regular checks that organizations must undertake. Many organizations use their record of processing mandated by Article 30 of the GDPR, using it as a central inventory to ensure cloud compliance is maintained,” he added.

Another industry expert, Andrew Parker at IT consultancy Step5, warned in the same report that not making proper preparations when it comes to the storage and usage of data in the cloud— and where it could ultimately end up.

“Many organizations have fallen foul by failing to understand their data footprint before starting the cloud journey…this includes the GDPR and the commercial sensitivity of the data, and the data classification,” Park said.

Ultimately, shifting the workings of a business to the cloud is not a decision to be taken lightly, and the integrity of data should remain a subject of ongoing attention.

“There are no panaceas, the GDPR will penalize you for choosing the wrong public cloud provider, or not specifying the SLA (service level agreement) properly, as well as penalizing the cloud provider if the error results in a data breach.”

CIOs need to ensure that employees, right up to external providers, are following the rules, stay up to date, measure and maintain compliance standards.

Fortunately, frameworks such as ISO27001 provide security and quality compliance, with cloud providers nowadays more willing to allow third-party audits.

Ultimately, vigilance is the order of the day, and IT leaders need to ensure that these standards and benchmarks are always being adhered to.