By Eric Lybeck, Director, Cybersecurity and Privacy, PwC
Cloud-based data storage is often seen as presenting challenges for complying with General Data Protection Regulation (GDPR) cross-border data transfer restrictions. What is pointed out less frequently are the several compliance advantages that can be obtained by moving EU data processing to the cloud.
To find these advantages, there is no better time to re-examine technology infrastructure and consider the benefits of transitioning to the cloud. Companies should first assess their IT environment and then re-imagine what an optimal environment looks like. Companies then may consider cloud solutions as a method for ease of achieving compliance.
GDPR presents an opportunity for cloud providers to drive value for their customers and provide for long-term improvements to mitigate current and future risks.
The time is now for companies to assess their existing IT architecture. Having a clear view of the existing architecture’s ability to satisfy GDPR requirements provides an understanding of strengths as well as considerations to be made prior to adoption of new tools or deploying an entirely new IT environment – such as the cloud - to implement adequate security and privacy safeguards.
Before looking around at the wide variety of solutions and options available, companies should start by taking a step back and doing some introspection at their functions, performance, and goals. If the GDPR was created as a response to technological developments impacting human rights and risks to individual privacy, then it follows that companies should look at their current IT environment and evaluate interactions with personal data. This assessment must consider business priorities in order to incorporate solutions that are technologically current and able to meet modern compliance requirements, without creating unnecessary exposure or cost. For some, existing architecture is rife with manual processes, risk intolerance, and an inability to adapt to business innovation.
This is where cloud integration comes in. Adoption of cloud services allows for the re-design of core processes that are scalable, risk-tolerant, and receptive to supplier and consumer needs. Cloud technology encourages consolidation of personal data storage so that data is easily retrievable and can be consistently de-identified or anonymized, aggregated, and deleted. Cloud integration takes business data and canvases it to provide a holistic picture of the breadth and depth of data, enables infrastructure transparency and promotes a strong security, privacy, and compliance posture.
While such an audit will inevitably require initial investments in conducting gap-assessments, building data inventories, and integrating and updating infrastructure, GDPR likely is just the beginning of globally reaching data privacy requirements. The cloud’s pliancy offers the potential of a long-term solution that will be adaptable to meeting future compliance expectations.
In traditional, on-premise IT environments, organizations are now tasked with engineering solutions for GDPR that may prove to be very difficult to maintain over the long term. Organizations often have complex IT infrastructures making implementation of some GDPR requirements, such as individual rights, a manual process that absorbs excess time, draining resources.
Privacy-by-Design (PbD) incorporates data protection standards before a company’s relationship with personal data begins. In other words, instead of an ‘add-on’ or afterthought within business operations already set up, PbD requires implementing protections for personal data to be embedded into the design of data processing systems before collection begins. For existing businesses looking to transition to the cloud, the integration of cloud infrastructure by leading cloud vendors already embraces PbD making compliance to data protection inherent in its functionality and use.
Implementing cloud technology infrastructure requires companies to undergo a technology functionality gap analysis, whereby the technology-driven requirements of the GDPR are assessed against the technology capabilities of the organization, covering the entire data lifecycle management process and its associated policies, infrastructure, security, and controls. The gap analysis will expose deficiencies, vulnerabilities, potential threats, and areas of non-compliance.
Moving to an integrated cloud infrastructure allows businesses an opportunity to implement a strategy for automating many of the manual compliance burdens of existing legacy systems. Companies can reduce the IT infrastructure footprint and replace obsolete servers and applications by consolidating tasks and operations, improving integration, and automating compliance-related activities.
System administrators and management using legacy, on-premise IT infrastructure must sift through multiple logs to pinpoint the moments leading up to a security event. Cloud providers automate compliance with always-on auditing, and establish a secure system with encryption and other privacy-enhancing technologies, configurable to customer requirements.
Cloud systems establish multi-tenancy, where a single instance of the software runs on a set of integrated and redundant servers, offering high availability across multiple customers. One advantage with multi-tenancy is that there is one set of metadata that is inherited by each tenant. For instance, if there is a change in privacy compliance requirements, then through the multi-tenant system, all tenants benefit from inheriting the compliance update on release. In comparison, with on-premise systems, individual system teams have to implement the same compliance requirements across each on-premise system individually to achieve a comparable result. Further, with multi-tenancy, cloud providers collect sets of data to understand how products are used, which allows cloud providers to design and deploy the features that are most useful for compliance.
While challenges for regulatory compliance exist regardless of technology architecture, cloud systems offer unique solutions as well as accelerate and ease implementation of compliance measures. Prior to contracting with a vendor, understand and assess the vendor’s capability to meet GDPR requirements.
Overall consider as a benefit that cloud technology increases collective accountability, as it yields a multitude of potential improvement measures, all able to be implemented through software. Organizations should consider the benefits of the cloud as they look at potential measures to improve compliance.