Written by Jose Casinha, Chief Information Security Officer, OutSystems
The General Data Protection Regulation (GDPR) Is right around the corner. The new regulation, which goes into effect on May 25, 2018, is arguably the most significant change in global privacy law in 23 years. Businesses must not only ensure that cybersecurity processes are in place to avoid facing financial penalties, but they must also take the time to assess that their software-as-service (SaaS) and managed service providers are compliant.
With May 25 less than two months away, the regulation places important new obligations on any business that handles the data of individuals living in the EU, independent of where the business is located. SaaS and managed service providers will need to ensure that they are complying with these regulations, and organisations choosing a SaaS or managed service provider should make sure the vendors they are considering comply with these regulations.
SaaS and managed service providers need to adapt and amend their services, contracts, and business processes to address the new requirements of the regulation. The consequences for non-compliance will be very costly. Infringement on certain articles of GDPR carries fines of up to €20M or up to 4% of the total global revenue for the preceding year, whichever is greater. Other fines carry penalties up to €10M or up to 2% of the total global revenue of the preceding year, whichever is greater.
The regulations apply regardless of where the personal data is retained—whether on paper or on servers in the cloud. However, the cloud poses quite a few specific compliance challenges.
Controllers and Processors
It’s important to understand everyone’s role in GDPR compliance. GDPR expands the scope of data security regulations. Previously, regulations only applied to the “controller,” meaning the person or organisation that determines the purpose and means of processing personal data. For example, a business would be the controller if it managed customer and employee data.
However, the GDPR extends the compliance responsibility to the “processor” of the data, which includes SaaS and managed service providers. The GDPR requires processors to develop and implement some internal procedures and practices to protect personal data. Most of those procedures and practices are related to information security management. Those who follow international standards like ISO 27001 or SOC2 are the most prepared for the GDPR challenges. Also, the processor must ensure that any subcontractors follow the requirements.
GDPR requires that controllers and processors know where personal data is located for storage and processing. This restricts the ability to transfer personal data to countries or international organisations outside the EEA. SaaS and managed service providers may have or use servers outside the EEA, but the transfer of personal data must comply with GDPR data transfer principles. For example, a vendor’s cloud could be on Amazon Web Services (AWS), which would enable customer data to be stored in Europe, therefore complying with GDPR. Data transfer is easier if organisations select a provider with infrastructures located in multiple regions.
Businesses, as the controllers, must assess whether the security measures of their SaaS or managed service provider, the processor, meet the security requirements by conducting periodic audits. The same applies to a processor using a sub-processor. Each International Security Standard has its own security programme as part of the certification process. This means that, periodically, controls that are in place are evaluated, as is their compliance maturity level. As an example, ISO 27001 Annex A specifies 114 security controls that they are required to adopt, and any exclusions of adoption must be justified.
Rights of Individuals and Cloud Contracts
GDPR extends specific rights to individuals regarding the use of their personal data. These include the processes for transferring data and when to erase it. Even though these responsibilities are assigned to the controller, it will fall on the processors to adapt infrastructure or services to accommodate this. For example, choices about shared or dedicated databases must be considered according to the nature of the data schema.
The GDPR is prescriptive about the contents of the contracts established between controllers and processors and sets out many stipulations, including when to process personal data. As people become far more security-conscious about their personal data, there will be more regulations like GDPR. The best approach is to stay ahead of the regulations by launching security initiatives and keeping up with the latest security certifications. By adopting international standards in information security management, companies are much more prepared to handle new requirements.
Data Centre Providers
Data centre providers are also an important link in the GDPR compliance chain that cannot be overlooked. They have the ownership of the physical assets where information is stored. In that sense, they are considered processors and are required to manage personal data related to physical access control like biometrics, video surveillance, their own employees, and subcontractor information.
The GDPR deadline is fast approaching and organisations have less than two months to be compliant. Without a doubt, the protection of customer and partner data is essential to the survival and success of every organisation. Everyone must understand these regulations and take responsibility for the data they work with, be they controllers or processors. Importantly, organisations must take the time to assess that their SaaS and managed service providers are compliant with GDPR before the deadline. GDPR compliance will ultimately improve data security, which is vital in today’s volatile cybersecurity landscape.