GDPR has been covered in great length in the run up to the enforcement date, with checklists, guides and whitepapers telling us what we need to do to stay compliant. This is all great, if your data is held in and structured in one central place. But the rise of cloud based app usage within organisations could certainly cause some difficulty when it comes to complying with the rules.
The Netskope Cloud Report by the Cloud Industry Forum found that the average European enterprise businesses are using over 600 cloud apps. Whilst this covers the more obvious SaaS applications such as SalesForce and Expensify, it’s thought that organisations underestimate this figure by 90 per cent. Think teams setting up Dropbox to quickly share files for projects, or marketing agencies sharing large files with suppliers via WeTransfer.
This data fragmentation (caused by having hundreds of apps) creates an issue for anyone trying to ensure GDPR compliance within an organisation, as they are effectively unaware of 90 per cent of the applications their company uses and the types of data held within those platforms.
Centralisation of this data can be a major step forward for GDPR. Products like G Suite and Office 365 allow users to provide good business tools for their staff while also having the benefit of providing centralised controls, reports, alerts and visibility of the data being used across the organisation. This minimises the number of apps, contracts and data fragmentation while also providing users with powerful tools to get the job done.
Policy complimenting technology
However, technology is only one part of the overall solution. Whether you have hundreds of applications or only a few, organisations also need to understand what other controls need to be implemented in order to ensure that they are compliant. This includes:
- Understand Data Usage: When using cloud apps organisations need to audit and understand what data they hold, where it came from, where it is held, what they do with that data, if it’s shared and how it fits with their data policies.
- Data Protection Policy, Business Processes and Procedures: Organisation need to ensure they have a data protection policy in addition to any required processes and procedures to ensure the information risk is being managed effectively.
- Staff Training: Organisations must engage employees on what GDPR means for them in their day to day job and train them on the policies and procedures that they need to adhere to, to ensure the company remains compliant.
Organisations may need a GDPR Data Protection Officer to ensure the correct level of controls are in place and remain relevant.
The bottom line is organisations need to understand what PI data they hold, why they are holding it, how long they need to hold it for and how it’s being managed. This must be communicated to their customers and staff and, where appropriate, mechanisms must be put in place to remove the data should it be requested. Technology is not the only part of the solution. Policy and technology complement each other.