In just about a month, GDPR will take effect, dictating new storage and privacy regulations for all data controllers and data processors who are either based in the European Union or serve individuals based therein. Failure to comply with these new regulations can saddle organizations with steep fines, including either 4% of annual global turnover or €20 Million (whichever is greater). While these fines are tiered based on the severity of an organization’s offense, even the lesser penalties (such as €10 Million or 2% of annual global turnover, whichever is greater) are nothing to bat an eye at.
With only 30-odd days for organizations to prepare, enterprises are going to want to get serious about developing a plan for these approaching regulations. Luckily, there’s an easy and painless set of solutions that ensures enterprises have all the necessary tools to make GDPR compliance simple and straightforward.
A large part of these solutions is cloud collaboration platforms.
Before we dig into how cloud collaboration platforms and migration there to present a solution for companies anxious about GDPR compliance, let’s take a quick look at some of the major new regulations with which these companies will be expected to comply.
In Article 25 of the GDPR, the law lays out the principle of “data protection by design and default.” Long story short, this regulation demands that organizations privilege the protection of users’ data, and that data processors only process personal data which is necessary for a task. In the article’s own words:
“The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.”
Organizations that collect and process the personal data of their users are, thus, expected to take exceptional care with what data they are specifically collecting, how long they are storing it, and what it is that they are doing with the data they collect and store. This also forbids the proliferation of personal data by organizations to other organizations. Organizations cannot simply review these privacy organizations after a storage process is implemented. Rather the GDPR expects these considerations to precede the design of how an organization will store data.
In Article 30, the GDPR demands that organizations provide “records of processing activities,” including such information as “the purposes of the processing,” “the description of the categories of data subjects and of the categories of personal data [being processed],” and “where possible, the envisaged time limits for erasure [of the data],” among others. As with Article 25, these new regulations lay out a clear agenda: protecting the data of users through enhanced systems of transparency and accountability on the part of controllers and processors. Organizations will be expected to provide documentation of their data processing and storage, in part to prove that they are dedication to compliance with all other articles in the law. Providing these records in a timely manner and to the standards of detail demanded by the GDPR will require internal record keeping and increased understanding of data use and storage on the behalf of the collector or processor.
Article 32, headlined as “security of processing,” dictates that, in storage and processing, organizations must guarantee “the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.” Should an organization be willing to store and process the data of a user, that organization must be able to promise that user that the systems and services by which that data shall be processed and stored are secure, protected, and generally up to the task of certifying that data’s safety. As a supplement to this, Dropbox notes that organizations are required to have tougher breach notification procedures in place, such that—in the event of a breach—organizations and users alike are made aware of the security failure.
While the text of the GDPR is far longer than these excerpts (and available in full, here), these three articles provide organizations with a strong sense of what to expect, especially with regards to storage and processing expectations. Data sovereignty is the heart of the GDPR, and by providing new regulations, the law holds organizations accountable for this sovereignty. So, how can organizations accomplish this?
Let’s talk about cloud collaboration platforms.
While it might not immediately occur to organizations to use cloud collaboration platforms to store sensitive user data, major cloud platforms such as Dropbox, Box, Office 365, Egnyte, and ShareFile have been working tirelessly to provide customers with a host of powerful tools to maintain compliance, and protect and keep track of user data. These platforms provide powerful options for organizing, collaborating on, accessing, and reporting on files which may contain sensitive user data in accordance with GDPR regulations.
Take Egnyte, for example. With real-time alerts, Egnyte allow admins to see when files are accessed or used without authorization, ensuring that breaches are noticed and reported per the standards of the GDPR. Centralized security controls allow admins to simultaneously see where every byte of personal data is located, and who has access to it. This tool allows for easy categorization and tagging, wherever that data may be stored. This means quick access and intuitive search capabilities for the purposes of reporting on data in a timely manner.
This doesn’t even touch on the capabilities of Egnyte Secure, which is designed with compliance to regulations such as GDPR, HIPAA, and FINRA in mind. Secure allows classification of all stored data, no matter where it’s stored, and provides a centralized dashboard that allows admins to navigate these controls without the need for excessive specialized knowledge. With the ability to identify sensitive files immediately upon creation or storage, Egnyte Secure’s quick and easy deployment makes it an ideal governance center for those preparing for GDPR.
ShareFile offers similar tools, including the ability to dictate sharing of reports and specific groupings of data, and creating 2 Step Verification systems to ensure the security of user data, along with password protection and mobile security protocols. Data Loss Prevention (DLP) policies allow admins to view when reports and files are accessed or downloaded. Ongoing auditing and tracking of sensitive user data is built-in and easily instituted to reinforce these policies. On top of these security protocols, ShareFile provides additional encryption capabilities.
OneDrive for Business and SharePoint Online also possess a number of powerful DLP policies that will no doubt help organizations protect user data. Admin facing Incident reports and notifications of external sharing of data provide companies with the tools to craft comprehensive Breach Reports at a moment’s notice, and additional encryption beefs up the security for sensitive data in compliance with GDPR. These options are scope-able to individual sites in SharePoint, ensuring that organizations can remain flexible in their compliance.
In addition to these myriad reporting and security capabilities (including newly implemented anti-cybercrime capabilities such as the ability to tag files and data in such a way that they cannot be forwarded or shared by those with whom they’ve been shared), Microsoft’s Multi-Geo system allows global organizations to host data at specific locations to address all global compliance regulations, not just those of GDPR. Multi-Geo recognizes that the scope of a large organization means having to adhere to more compliance regulations than just GDPR, and this multiplicity of regulatory concerns should be centrally manageable, such that one does not detract or distract from others.
Box Zones offers a similar system, by which organizations can store user data in multiple locations that are all centrally manageable. This approach to storage makes reporting and categorization of data under compliance far simpler, and ensures that companies don’t feel like GDPR is an additional burden on their data storage. By streamlining access while building a sterling system for hosting user data, Box Zones is practically built for GDPR and global compliance concerns.
With all of these options for compliance in the cloud, collaboration platforms are offering organizations are powerful toolkit for approaching GDPR. With cloud collaboration platforms, GDPR won’t break an organization’s stride, nor will organizations feel as though they have to scramble to comply and avoid crushing fines. More so than most other storage solutions, cloud platforms are designed to help companies adopt GDPR regulations, and make a powerful opportunity of what could be an obstacle course for the unprepared.
Please be aware that this article is provided as information only and should not be treated as legal advice.