Cloud Data and GDPR – What You Need to Know
If you use the cloud, then your GDPR strategies must include cloud data management. The good news is that these very important elements can be aligned and deliver benefits to the organization’s overall data strategy and feed directly into digital transformation programs.
In the initial three blogs of this GDPR data breach series, I’ve looked at how security and data management principles overlap when it comes to data breaches. Whenever I talk to senior IT people and executives, the next topic I get after the breach discussion tends to focus on the cloud.
Unfortunately, cloud is a big topic that we should talk about in an upcoming conversation. What I will start with, though, is that before you worry about the data management in the cloud, you need to ask a few questions:
- Does the country where the SaaS or public cloud service is located have EU data protection adequacy?
- Can you even control where your data will end up in your choice of cloud/SaaS provider?
- What are the GDPR credentials of the cloud service in question?
- What is their notification and arbitration process after a data breach?
- In GDPR terms, cloud providers generally fall into the area of Data Processor, but as the purchaser of the service, you are the Data Controller – have you checked to ensure personal data is being processed in accordance with GDPR?
Each answer will undoubtedly lead to more questions. The worst outcome would be when a major non-EU based supplier tells you “we aren’t and don’t plan to be GDPR compliant.” Not good.
GDPR step one is finding your organization’s cloud data
The next shock you’re likely to get is finding out just how many cloud services your organization is using without your knowledge – shadow IT. One compliance officer I spoke with expected to find a few dozen cloud services during an audit, but the real figure was in the hundreds. Beyond training and an amnesty, unknown cloud data can be difficult to deal with as you plan for GDPR.
Then there is the cloud data you do know about. Or think you know about, to be more precise.
Public clouds are used by business to store primary data, get data copies offsite, archive it and collaborate, in addition to running applications. A lot of corporate email has left on-premises systems and been vaulted into the cloud, too.
Unfortunately, I see too many cases of business putting its data into the cloud and then assuming that it’s now "someone else’s problem." This is problematic on number of levels.
Firstly, by not managing your data’s lifecycle in the cloud, you’re going to be paying more in cloud billing, as well as leaving yourself at risk from a GDPR perspective. Secondly, your cloud provider (in most cases) will keep your data available, but not backed up.
It’s at this point I normally remind people to check their cloud providers contract. As part of the shared responsibility model of your cloud agreements, your data remains your responsibility from a backup and GDPR perspective. Some public cloud providers will offer add-on services in these areas, but often only for data in their cloud, leaving you with fragmented tools when you have a hybrid cloud model.
Aligning GDPR preparation and cloud data management
Commvault can really help you get ready for GDPR and improve your cloud data management strategy at the same time. You’ll also be adding value by making your staff more productive and cut costs when you deal with ROT (redundant, outdated, trivial) data.
Profiling your on-premises and cloud data with Commvault software will help you identify the personal data, or PII, that you need to be concerned about. This ongoing profiling activity provides informative dashboards that enable you to create Commvault policies to efficiently archive or delete data as appropriate, including "contraband" data that shouldn’t be stored at all.
The Commvault platform’s analytics, compliance and search technology works just as happily in a hybrid cloud environment as it does on-premises. When you get an understanding of data in this way you can reduce the risk of data breaches due to human error – such as sensitive data left in poorly secured cloud buckets. The Commvault platform also includes powerful search tools that will also help you deal with GDPR Subject Access and Right To Be Forgotten requests.
In fact, the Commvault platform includes native integration with the big public cloud players, so it can help you migrate workloads and data there in the first place, even your email system. When you use the Commvault platform to apply data intelligence before migration, you can get there quicker and at lower cost.
One further thought. Managing your data in this way might not be the only way to speed things up. Having unified dashboards and common management and protection policies for on-premises and cloud systems could mean your risk officer uses the "approved" stamp a whole lot more often for cloud-first or cloud migration programs.
Whether you need to know more about your data on-premises or in the cloud, read about Commvault's GDPR solutions. It’s a great place to start. Isn’t it time you actually looked at your data?