The most important change in data privacy regulation in 20 years is taking shape as European Union’s General Data Protection Regulation (GDPR) came to effect from May 25, 2018.
A recent Deloitte GDPR benchmarking survey revealed that only 15% of organizations expect to be fully compliant with the new regulation by May 2018, with the majority instead targeting a risk-based, defensible position1. Approximately three-quarters of enterprise cloud services still lack key capabilities needed to ensure compliance with GDPR2. Though cloud-based data storage is often seen as being unsuitable for complying with GDPR cross-border restrictions, the truth is, several compliance advantages can be gained by moving EU data processing to the cloud. The real challenge however, lies in seamlessly managing a cloud environment and complying with GDPR simultaneously.
Let’s deep dive into the implications for cloud transformation in the post-GDPR world and the value an expert IT services provider can add by driving long-term improvements aimed at mitigating current and future risks.
Technical and financial implications of GDPR on cloud computing
The journey to the cloud is inevitable and more and more enterprises are moving to the cloud to reap benefits such as flexibility, scalability and resource optimization, in a cost-effective manner. However, GDPR compliance in the cloud can be complex.
Technical implications: With data subjects given the right to correspond directly with a CSP or through an organization that uses the CSP, it becomes imperative to identify where the data lies and respond within the stipulated timelines. This is possible only if organizations fully understand the privacy rights and ensure privacy by design—where privacy is built into the cloud solution. How can businesses ensure this? To begin with, it’s important to conduct an impact assessment aimed at identifying the gaps. This must be followed by an evaluation of how data is going to be protected by considering three aspects: where is the data stored, how is it processed and who accesses it.
Financial implications: The cost of non-compliance with GDPR far exceeds that of any previous regulation—it can attract penalties of up to 5% of a company’s global turnover, besides resulting in reputational damage and loss of customer trust. Deploying the right resources with intimate knowledge of GDPR and ensuring training will be critical to preventing and quickly spotting violations.
The writing on the wall is clear: organizations simply cannot choose to be complacent when it comes to GDPR. But some challenges stand in their way.
GDPR and the cloud: What to watch out for
91% of organizations in a recent survey revealed they are concerned about how GDPR will impact cloud services3. While general privacy challenges are inherent to the cloud, GDPR brings in specific challenges including:
Inefficient firewalls, legacy applications, and poor access controls become easy ways for hackers to get inside a company’s data systems even if it resides in-house.
How hybrid cloud can help organizations fast track GDPR compliance
One common misconception is that public cloud services, with data held by third parties on shared systems, can be potentially less secure and a bigger challenge to ensuring GDPR compliance than traditional in-house systems or a private cloud. The truth, however, is quite the opposite. Operating a private cloud puts the onus of total responsibility for ensuring security and compliance on organizations. This places greater strain on their internal IT, especially in cases of power outages/disasters, besides exposing businesses to greater chances of internal data theft. Inefficient firewalls, legacy applications, and poor access controls become easy ways for hackers to get inside a company’s data systems even if it resides in-house.
Cloud providers, on the other hand, ensure that delivery of systems, tools and continuity plans are in place to make their cloud infrastructure safe and secure. Given the cut-throat competition among CSPs, innovative providers offer a value proposition around regulatory compliance, data security, and privacy management. They typically store corporate data in a virtually secure facility, backed by multiple layers of physical security. Such a set-up is often absent or highly expensive to maintain, if businesses opt to manage their cloud infrastructure in-house.
Leveraging a hybrid cloud solution is the perfect answer to organizations’ GDPR woes. It allows businesses to take advantage of the cost-effective public cloud for less sensitive, non-regulated data while storing sensitive information (that needs stringent GDPR compliance) on-premises. Hybrid cloud mitigates the risks associated with data residency regulations, giving organizations greater control over the availability, integrity, and security of their data.
Making the cloud and GDPR work in tandem: How a IT service provider adds value
IT service providers enable organizations to get the best of both worlds—unify different types of cloud, services, and enterprise data within a hybrid environment, enabling single pane of glass monitoring. Here are three unique ways in which organizations can benefit by partnering with an experienced service provider:
Accelerating GDPR readiness with hybrid cloud
Defining a new paradigm of information security is an enterprise imperative in light of the GDPR coming into effect in less than two weeks. Different organizations are in different phases of adoption. While some have already undergone transformation and are ready to capitalize on enhanced opportunities, many are still planning and strategizing. Regardless of where you are in the journey, leveraging hybrid cloud and the consultative approach of a service provider can help ensure that the right policies and solutions are in place for superior data practices and compliance.
 Deloitte,Deloitte General Data Protection Regulation benchmarking survey, https://www2.deloitte.com/be/en/pages/risk/articles/gdpr-readiness.html
 Beta News, Majority of Enterprise Cloud Services Still Not Ready for GDPR, Oct 2017 (accessed May 2018), https://betanews.com/2017/09/18/enterprise-cloud-services-gdpr-readiness/
 Scoop,GDPR, cloud and the concerns, issues and needs of IT decision-makers, https://www.i-scoop.eu/gdpr/gdpr-cloud-it-decision-makers/
 Scoop, GDPR, cloud and the concerns, issues and needs of IT decision-makers, https://www.i-scoop.eu/gdpr/gdpr-cloud-it-decision-makers/
Rajiv Kumar - Cloud Pre-Sales head, Cloud & Infrastructure Services, Wipro Ltd.
Rajiv is the Head of Azure Cloud business at Wipro Limited. He has around 20 years of experience in the IT Industry and has represented Wipro in leading industry conferences and events on cloud IT infrastructure and emerging technologies. He has played a key role in developing next-generation transformative offerings like Azure Stack and rapidly growing the cloud practice across global geographies. He is member of esteemed, Association of Enterprise Architects-AEA. He has many leading certification under his belt like TOGAF, Azure MCSD and AWS Solution Architect, etc. Reach out to him at firstname.lastname@example.org