GDPR: Why Cloud Could Put Customers in EU Regulators’ Sights

Companies are storing huge amounts of data in the cloud, both deliberately and as a result of shadow IT. While cloud-centricity can be invaluable in providing insights into customer behavior and increasing employee productivity, it runs smack into GDPR’s prime directive: Promote transparency so that EU consumers know how their data is being used, by whom, and where it’s stored. The legislation will hold organizations accountable for personal data they retain, whether it lives in their data centers or AWS’. 

If customers think GDPR doesn’t apply to them, that’s a service engagement right there: Any company that has collected data in any way on any EU citizen will be affected. There’s not a lot of time to raise awareness — the legislation goes into effect in May. But there is a need, because I’ve seen surveys suggesting that 48 percent of respondents are still unsure what GDPR even means. 

As a trusted service provider, you need to educate and enable customers to take the necessary steps to safeguard data. Faced with the threat of fines of up to 4 percent of global annual revenue, or $24 million, for non-compliance, CIOs will need help.

There’s more to this effort than I can cover here, of course. But one good piece of advice is to start by looking at what’s in public clouds, such as AWS or Azure, as well as Salesforce, Box and the other dozens – or more likely hundreds – of cloud services in use by employees. The cloud is one area that will face particular scrutiny during the GDPR transition period, as organizations come under pressure to regain control over data locality and security. GDPR gives EU citizens the right to query any cloud or communications service provider to find out what personal data is being held, and the provider must respond promptly. Other rights under the new reg: The right to rectification, meaning any data errors must be corrected quickly, and the right to data portability, which gives citizens the authority to shift information from one service provider to another in a standard format.

And don’t forget the right to be forgotten. Do customers have the means to deliver on these requests?

In addition to helping EU citizens regain control over their data, customers must demonstrate that they have control over remote access. I recommend you ensure all cloud service providers in use can generate audit logs showing who accessed sensitive data. Of course, to do that, it’s essential that customers understand where their critical data is stored. Partners can help with that too.

With GDPR coming into effect, the channel will play a crucial role in helping organizations re-evaluate their cloud, on-premises, storage, archive and sync-and-share strategies.The arrival of GDPR doesn’t mean employers can’t enjoy the benefits of a connected, collaborative workforce. It does mean that they need to spend some time and money to meet GDPR’s regulations. In fact, companies with significant amounts of data will have to employ a Data Protection Officer (DPO) and restrictions will be imposed on the transfer of said data. A huge responsibility rests on channel partners to provide comprehensive support to their users through this transition period.

Your job: Make sure customers can continue to make the most of the benefits of cloud while still adhering to the new regulations. The hefty fines issued for failing to comply with GDPR should help to concentrate minds ahead of its implementation. GDPR can also help partners demonstrate the value of their service to customers, because guarding against the risk of a 4-percent-of-revenue fine is an investment worth making.