This is the second in a series of articles explaining how companies should address the daunting requirements around data security and cloud services contained in the GDPR. With the May 2018 compliance deadline looming, organisations should already be on the path to compliance. With cloud services a major part of the GDPR puzzle, this series of articles is designed to provide practical guidance to help organisations along the road to compliance.
In the previous article, we looked at how organisations could address the first “audit” stage. This first step in the GDPR compliance process can be broadly summed up in the following headings:
Discover every cloud application used by employees across the business;
Know which personally identifiable information (PII) and data are being processed in the cloud by employees, and understand whether this data is defined as “sensitive” under the GDPR;
Secure data by conducting a GDPR readiness assessment, checking that you have a DPA (data protection agreement) in place with all cloud services. Set and activate policies which mandate the use of managed cloud services to process and store PII;
Coach employees in best practice to ensure staff readily adopt and use the services approved by IT, and
Use a cloud access security broker (CASB) to evaluate whether the cloud apps and services in use across the business are enterprise-ready.
With those stages of the audit complete, the organisation will be in a much better position to assess what needs to be done to achieve GDPR compliance. The next question is how organisations action that insight to improve their GDPR readiness, which brings us to stage two: rationalise.
The rationalise stage is essentially about taking the learnings from the audit stage and applying those to the cloud services in use in order to shrink the organisation’s threat landscape.
Following the audit, IT teams will have a good picture of data at rest and in-transit (and indeed where that data is going). The report from the audit will also show which cloud services are in use across the organisation, what data is in there, and then whether there is a data processing agreement (DPA) in place.
Building on this information, the rationalise stage can be defined as follows:
Find cloud services in use from the audit stage which do not have a DPA in place;
Consolidate those services, narrowing down onto a manageable number of secure cloud services which have DPAs in place;
Sanction services which do not comply with the GDPR, and strongly consider blocking the use of those which are non-compliant and show serious security def