How the EU GDPR Will Affect Your Cloud Service Provider

The European Union General Data Protection Regulation (GDPR) offers stringent guidelines for the protection of user data. It provides a path for securing user data and protecting it from proliferating internet threats.

The GDPR is not unlike the rules of the road. To protect the public and let us get to our destination, governments have established rules to protect drivers, passengers and bystanders. Traffic lights, speed limits, right of way and other rules ensure safe travel for everyone.

For a website visitor who is browsing over the internet to a specific destination, data security and privacy are important.  The web visitor wants his or her data to arrive at its destination securely and continue to be secure throughout the journey.

To assist with this, governments have introduced data privacy laws and regulations.  Like the rules of the road that help protect people and property, privacy laws help protect a person’s information. We wrote previously about GDPR guidelines. In this post, we look at how it affects your cloud service provider and how you can choose a provider that has future-proof processes for the GDPR.

Protecting Data in the Wild

The threats to a website visitor’s information whether in transit or at rest have risen tremendously over the past few years.  The loss or exposure of millions of user data as reported in the press has increased to a significant level.  This reduces a user’s trust in the internet and in companies that are collecting and storing their information. A data breach can lead to financial, mental and even physical harm, creating a significant impact to the life of the website visitor.

Governments are realizing the gravity of the situation and the potential slowdown for businesses, including its resulting impact to the economy.  To improve user trust, these governments are implementing timely regulations and technology changes to place the responsibility for protecting users’ information squarely on those that are collecting and processing this information.

How GDPR Works

The GDPR puts in place the necessary protections for user data and business accessibility. Businesses need to prepare now and be ready to adapt to the privacy requirements dictated by the GDPR. The new regulation imposes an extensive list of personal data privacy protections and limitations and compliance procedures, while mandating severe penalties for non compliance. Due to the extensive nature of this regulation, organizations should look closely at their current privacy protection programs and set a goal to meet the GDPR requirements before the go live date in 2018.

If you are not a European organization you are thinking you are off the hook. Wrong! It is very likely that your business will have to adapt to the new regulations as you deal with personal information from your European customers. While the GDPR was written for the EU, they apply to any data retained by your business about a customer from the EU.

The Road to GDPR

Navigating GDPR can be complex and confusing. To learn more about the regulation, we suggest these steps that can help you make the move into the next generation of privacy standards.

We look at how to choose the right cloud extension for your business in the context of data privacy readiness. We also offer ideas on how to validate that the vendor you use or select has implemented high standards of data protection and privacy care.

By choosing a vendor that does not have the proper data protections in place, your cloud security strategy could become your weakest link in your GDPR planning. This could potentially lead to a business slow down or even heavy fines.

GDPR and Your Cloud Service

Companies that use software as a service (SaaS) solutions are facing new challenges with the introduction of the EU regulations.  The responsibility to comply with GDPR applies to a SaaS solution if it sits in the data path of EU website visitors.

Choosing a SaaS vendor has never been an easy task, especially when compliance is a factor. Adding the additional privacy constraints to the equation, multiplies the complexity.

Here are areas to focus on when choosing a vendor.

  • Verify whether your users’ private information leaves tracks in the data path when it passes through and is processed by a third party. In such a case, the first question to ask is, where is my data? The “where” refers to the physical location. The next steps would be to follow the path of the data during the lifecycle of the process to ensure it is secure at every point.
  • Understand how the vendor handles the data and what processes the vendor has established to ensure that it is securely processed and stored. You’ll need to ask if they can prove how the data is secured by indicating the controls and risk management processes in place. By focusing your question on a specific scenario, you can better understand if the vendor has truly adopted high standards. For example, ask for details on their version release process and how they validate that existing and new features are aligned in terms of data protection.
  • Validate if the vendor has a clear access control policy that is well defined and audited. Ask who can access your data, under what circumstances, what can they see and if this access is tracked.
  • Lastly, understand how much the vendor cares about information security and data protection. Some SaaS and IaaS companies may have a great product and are considered leaders in their space. However, that doesn’t mean they pay much attention and invest resources for meeting security and privacy requirements. This greatly impacts their data privacy readiness and future compliance.

GDPR and Incapsula

Incapsula has always had a strong security and privacy focus and sees the GDPR regulation as an integrated part of these requirements. Our GDPR compliance series gives you a comprehensive view of what the regulations mean and how they affect you.

Keep your finger on the pulse

Sign up for updates from Imperva, our affiliated entities and industry news.