Cloud Apps Face an Uphill Battle for GDPR Compliance

As the marketing leader for Netskope in EMEA, I have been consumed lately with a topic that’s top-of-mind for European enterprises: the EU General Data Protection Regulation, or the GDPR. This is especially important given how little visibility enterprises have into the cloud apps their employees are using. It’s hard enough to govern what you can see, but impossible to govern what you can’t, and since shadow IT represents well over 90 per cent of cloud app usage, European enterprises are already at a disadvantage when it comes to addressing privacy in the cloud.

My team are working with privacy and legal experts to understand the legislation and how it applies to the cloud. Together with these experts, we have published this white paper and a host of additional educational materials as well as hosted numerous regional workshops to look at GDPR through the lens of cloud usage, an area that few are addressing. So, when we were doing the research for the Cloud Report that we released last week, an obvious area of analysis was how equipped the apps that enterprises are using are for the soon-to-be-ratified GDPR.

What we found is overwhelming evidence that organisations will face an uphill battle when it comes to complying with GDPR if they are using cloud apps (and they ARE) because those apps are not GDPR-ready. Specifically:

• 12.7 per cent of cloud apps don’t support data portability requirements, which infringes on the rights of data subjects per the GDPR compliance;
• 43.2 per cent of cloud apps keep data for longer than one week upon termination of service, going against the GDPR requirement that personal data must be protected and thus, deleted in a timely manner;
• 59.9 per cent of cloud apps do not specify that the customer owns the data in their terms of service, which means users are at risk of having their personal data used for other purposes, such as research and marketing; and
• 99.1 per cent of cloud apps replicate data in other geographic areas. For business continuity in the event of technology failure, disruption of power, cooling or other resources, or a natural disaster in the area, virtually all cloud apps back up or replicate user data in geographically dispersed data centers. While this is a requirement of most enterprises to ensure data availability, it may go against the GDPR’s data residency requirement.

Enterprises know it too! According to a recent study we published a couple of weeks ago, only one in five companies are confident they will comply with the GDPR, a statistic that underscores the uphill battle they face.

Even though this is the talk of the town on our side of the pond for now, state-side enterprises and their vendors should be thinking about it too. The legislation doesn’t applies not just to European companies, but any company doing business with European customers.

How are you intending to comply with GDPR in the face of cloud usage and shadow IT?