Ensuring data protection and data compliance with cloud: because the times they are a changin’.
14 March 2017
“The times they are a changin’”, sang Bob Dylan in his iconic 1964 song of the same name. The politically charged message that resonates throughout the song referred to the social and political changes rife throughout the “cultural decade” that was the ‘60s. Fast-forward half a century and Europe, particularly Britain, is preparing to go through a new set of huge political and economic changes, this time triggered by the departure of the UK from the European Union.
The ramifications of Brexit will undoubtedly affect businesses in the UK in a number of ways. One key area of change will be around the ways that data can be managed and utilised by British organisations. The UK’s digital minister Matt Hancock has already clarified that data laws in the UK are most likely set to mirror those laid out in wider Europe following Britain’s departure from the EU. Assumedly, this is to make trade between the UK and EU members as simple as possible post-Brexit, by aligning the ways organisations manage their data in order to comply with remaining member states.
The EU’s General Data Protection Regulation (GDPR) is scheduled to become a directive in May 2018. The GDPR directly addresses how organisations manage, store, and secure European data. If the UK is set to align to these regulations as per Hancock’s implications, the UK is due a similar data ruleset. Even if this doesn’t turn out to be the case, the GDPR applies to any businesses that store the data of EU citizens, which means it’s for the best to comply with these rulings either way if European trade is to remain on the table.
These political changes, coupled with the exponential growth of ransomware and similar data-targeting cyber-attacks mean that businesses need to rethink and improve the way they manage their data processes in order to ensure data compliance, and ultimately data protection.
A notable trend emerging in the marketplace that addresses the issue of data compliance is the use of hosted and cloud services, in particular private cloud deployments. When managed effectively, the cloud can allow businesses to streamline and tighten data processes in order to improve the security and legislative compliance of any data “owned” by a business. How exactly can organisations utilise the cloud in order to ensure data compliance?
The cloud is helping businesses move forward at an astounding pace. By hosting data online, business networks are accessible regardless of where employees are trying to connect from.
Knowing where your data is stored is important, as is adhering to national and international data laws. Ensuring your data adheres to the laws of the country it’s located in is a vital aspect of data compliance. This is known as data sovereignty, so in the UK currently, it primarily means complying to the Data Protection Act of 1998. As mentioned earlier, post-Brexit, the DPA looks as though it’s set to be updated or even replaced with something closer to European policy.
Adhering to local data laws should be a simple process, but this can soon get muddied when international laws and privacy acts also come into play. For example, Russian legislation states that any Russian data must be stored in datacentres situated in Russia, regardless of data sovereignty laws in other countries. The now infamous-yet-failed Safe Harbour agreement between the US and EU is another example as to how data law can get a bit more complicated on a geopolitical scale.
The best way to ensure true data sovereignty is to store UK data in UK datacentres, especially with the disruption and lack of clarity that surrounds the Brexit move. By storing your data in UK datacentres, you can ensure your data remains compliant to local laws and regulations both now and once Article 50 is triggered.
GDPR data compliance
The EU General Data Protection Regulation is forcing businesses to review the way their data is utilised across an organisation, whether they like it or not. Although for many this may come across as an extreme measure to take, it’s being implemented for good reason. The world is becoming more connected through increased reliance on the internet, and data is becoming more readily available, for example through social media and online applications. Obsolete data legislation needs to be updated in order to better protect individuals from the threat of data loss through both malicious and accidental means.
How does the cloud fit in this scenario? For many organisations across the UK, the cloud is being used as a means of reducing IT complexity and increasing accessibility, but also for standardising internal business processes and procedures. Hosting your network infrastructure on a private cloud allows you to collate your resources into one secure location (preferably from UK datacentres), allowing you to refine and limit access to data without reducing business flexibility.
Implementing technologies such as a virtual desktop infrastructure mean that no data at all needs to be stored locally on devices, mitigating the threat of device loss or theft. Meanwhile, powerful enterprise-grade next generation firewalls and security systems located in the same hosted environment protect against external threats. Physically speaking, datacentres are some of the most secure environments on the planet, and can often offer security a number of grades higher than on an onsite server room.
A key point to make here is that it’s just as important to document and prove that processes have been put in place that demonstrate data compliance with the GDPR, as it is to actually be compliant. When implemented correctly, the cloud can act as an enabler of data security and data compliance, rather than an inhibitor.
A note on internal compliance and shadow IT
In order to be truly compliant for the GDPR, your organisation needs to be on board with your data policies from the bottom up. One side effect of the growth of cloud is the rise of shadow IT practises within an organisation. The term “shadow IT” refers to the use of applications (normally hosted on public clouds) within an organisation that aren’t approved or often even known about by the IT team. Applications that utilise business data such as Google Drive pose serious security risks and raise the potential for data breach.
Fortunately, when implemented alongside an internal awareness campaign, the cloud can also act as a way of reducing or eliminating the threat of shadow IT without affecting productivity. Replacing ad hoc software and applications from a number of third party providers hosted on unsecure public cloud with applications managed on a private cloud deployment help to ensure your data remains secure. It can also result in cross-departmental cost savings due to the reduced number of applications being used across a company.
Although the change that Bob Dylan sang about 50 years ago was perhaps of a more poetic nature than Brexit and the GDPR, the fact still remains that the departure of the UK from the EU will have a huge impact on the way organisations conduct business. Ensuring data security and data compliance with local and international law should become even more of a priority than it is currently, and utilising the cloud is just one way that your business can achieve this goal.
It’s easy to wait and deprioritise changes to your data management policies, but you’re only avoiding the inevitable. Breaking down the monumental task of committing yourself to data compliance and starting now will save a lot of stress and potentially costs when the GDPR is enforced in 2018.