Many Australian organisations are using cloud services to both run business applications and store massive amounts of data, according to Matt Hallewell, Cloud and Modern IT at Avanade, with the company stating it "transforms businesses for the digital era".
Cloud is just one part of that transformation, and now Hallewell tells us that the benefits of the cloud "are about to come under new data privacy and control regulations that impact Australian organisations".
So, what is GDPR?
Well, we're reminded that it stands for General Data Protection Regulation, and it's "Europe’s answer to data regulation".
"In Australia", he continues, "there is a sense of confusion as to what this actually means, with clients asking how GDPR relates to us".
The answer is, quite significantly.
No matter where an organisation is located — within the EU or not — Hallelwell stresses that it must comply with the GDPR if it collects, processes, shares or stores personal data that identifies “EU data subjects.”
Australian businesses will have to comply if they:
- Operate businesses that are established in a member state of the EU;
- Offer goods or services to individuals in the EU, irrespective of whether a payment is required; and
- Monitor the behaviour of individuals in the EU, where that behaviour takes place within the EU.
With this in mind, Hallewell has compiled "the following focus areas whereby owners of data need to get their house in order, especailly now that GDPR is a reality".
1. Shut down unauthorised cloud solutions
"A side effect of massive cloud growth in Australia is that many companies are currently storing data (including customer personal data) in many cloud services (such as DropBox, WeTransfer, Apple iCloud, etc) that aren’t authorised or controlled as traditional Enterprise IT services. This means that the data may be located and stored in multiple geographies around world.
"Because data can be stored within multiple locations by cloud service providers, store corporate data in one location in every jurisdiction. Avanade recommends moving data from unauthorised Cloud Services into enterprise cloud services (such as Microsoft OneDrive) and shutdown third party solutions, to give you more control over who is accessing your data."
2. Deploy mobile device management tools for greater data management
"GDPR has seen an increase in customers worried about mobile devices, smartphones or PCs having corporate data in uncontrolled environments. Mobility device management tools (such as the Microsoft Enterprise Mobility Suite) allows organisations to control and restrict access of sensitive data so it can’t be taken outside the corporate network, so it is be accessed insecurely.
"This is vital for organisations who have employees that travel to Europe on a regular basis for example."
3. Collect necessary data only
"Specify in any data processing agreement that only the personal data needed to perform the app’s function is collected by your organisation and nothing more. There are limits on “special” data, which includes race, ethnicity, political views, religion etc."
4. Don’t allow cloud apps to use personal data for other purposes.
"State clearly in any data processing agreement that the customer owns the data and it is not shared with third parties. It must be possible for the controllers to retrieve the data in a structured, commonly used format to provide to the data subject or another controller."
5. Ensure that you can erase the data when you stop using applications.
"Make sure that you can download your own data immediately and apps will erase your data once you’ve terminated any services with third parties. The more immediate (i.e. less than a week), the better, as the longer it takes, the higher the risk of exposure."
6. The contract should define a breach event
"Describe a procedure for the provider to notify your enterprise about any breaches without undue delay. Even if the cloud provider experiences a data breach that impacts multiple customers, you should be responsible for external communications and manage the overall breach with their support.
"What organisations don’t want is a breach making headlines before their provider notifies them of the breach and before the controller is able to notify local authorities. Organisations are not in control over the cloud provider’s (IT) environment and you must rely upon (IT) controls that the provider has in place. Therefore, it is always necessary to assess to what extent the provider can comply with your IT Security requirements."
Given the GDRP deadline on 25 May has passed, following these measures is imperative to ensure you and your organisation are well prepared for the realities of GDPR now being in force.