A survey by cloud access security broker, Netskope finds very few companies are confident that they will comply with the upcoming EU General Data Protection Regulation (GDPR) and many are worried about how they implement the regulations.
According to the findings, only 21% of IT professionals in medium and large businesses felt sure they would comply with upcoming regulations, including the GDPR – which is set to be finalised in Spring 2016 and enforced from 2018.
A further 21% of respondents assumed that their cloud providers would handle compliance obligations on their behalf – a solution currently prohibited by the GDPR legislation. A further 18% of those surveyed admitted that the topic of compliance and regulation surrounding cloud apps “strikes fear into their hearts,” highlighting the extent of confusion and concern in light of the coming changes to the regulatory landscape.
Asked specifically about cloud app use, 29% of IT pros said that they were aware employees use ‘some’ or ‘many’ unauthorised cloud apps within the business. A tiny 7% of respondents from medium and large organisations said they had a solution in place to deal with the use of unsanctioned apps within the workplace. Cloud apps pose a particular challenge to GDPR compliance because they often create unstructured data – which are covered by the legislation, but are typically much harder for organisations to manage because of how the data are created and stored. Data are typically created by users of cloud apps such as productivity or collaboration applications, often meaning that data are stored on mobile devices and shared with others through unsanctioned applications and cloud storage. All of these data are outside the organisation’s direct control, and therefore pose a serious risk to compliance with the GDPR.
The latestNetskope Cloud Report (Autumn 2015) found that the average number of cloud apps in use per enterprise in the Europe, Middle East and Africa (EMEA) region was 608, a 26% increase from the previous report. This demonstrates the huge potential for the creation of unstructured data, the management of which poses significant regulatory risk. To add to this uncertainty, 89.8% of these apps were found to be not enterprise-ready, lacking key functionalities such as security, audit and certification, service-level agreement, legal, privacy, financial viability and vulnerability remediation.
“The GDPR will have far-reaching consequences for both cloud-consuming organisations and cloud vendors,” said Eduard Meelhuysen, VP EMEA, Netskope. “With the ratification of this piece of legislation imminent, the race is on for IT and security teams who now have two years to comply. Although that might sound like a lengthy timeframe to complete preparations, the significant scope of these reforms means that businesses have their work cut out to ensure compliance in time for the EU’s deadline.”
Under the GDPR, organisations must be sure that personal data are processed in ways consistent with the regulation. This means that businesses must take organisational and technical measures, beyond traditional security measures that are aimed at confidentiality, integrity and availability of the data, in order to ensure compliance with the GDPR.
“The key is to start preparations as soon as possible. The technical challenges are made even more significant by the myriad complications presented by the cloud and shadow IT, which make personal data even harder to track and control,” said Meelhuysen. “As a starting point for GDPR compliance, organisations need to conduct an audit to ensure they understand what cloud apps are in use – both sanctioned and unsanctioned – and what data are in those cloud apps.”
Netskope has published an associated downloadable GDPR readiness kit full of information and best practice around achieving GDPR compliance, with specific reference to the challenges posed by cloud app use.