Having analyzed its CloudRegistry of over 7,000 cloud services, Skyhigh can reveal that the vast majority are not prepared for these new laws, with numerous and significant issues pertaining to new requirements such as:
- The right to be forgotten / data infidelity and deletion policies
- Data residency
- Data breach detection and notification
- Encryption and secure passwords.
It’s staggering how few cloud providers are prepared for the new EU regulations but, fortunately, there’s still time for providers to get into shape. This means addressing a number of complex issues now, such as the right to be forgotten, as well as implementing data protection policies that meet these new standards. For cloud providers this will inevitably require additional resources and expenditures, but it’s a snip given the proposed penalties for violating the new laws, which can be up to five percent of a company’s annual revenue or up to €100 million.
“One of the most well-publicised and controversial amendments to the new regulation is the right for individuals to request deletion of data identifying them. It’s a complex issue but, given the media interest surrounding it, one that’s unlikely to blindside cloud providers.
“Still, when you consider that the average organisation uses 738 cloud services, complying with this requirement presents some unique challenges. A big problem is that 63 percent of cloud providers maintain data indefinitely or have no provisions for data retention in their terms and conditions. On top of this, another 23 percent of cloud providers maintain the right to share data with another third party in their terms and conditions, making it even more difficult to ensure all copies are deleted.
With this in mind, it’s fair to say that the right to be forgotten could turn out to be a massive headache for many organisations – cloud service providers themselves and those companies using these services – it’s not just an issue for Google.
The list of countries that satisfy EU privacy requirements, enough to allow data to be transferred due to an equivalent level of legislative protection, is very short at only 11 countries. Notably absent from the list is the United States, where 67 percent of all cloud services are headquartered. Data residency is already a significant issue under the current EU Data Protection Directive and it will continue to be so as the new regulations come into effect – especially as only 8.9 percent of US-based providers have the Safe Harbor Certification, which provides exemption to these regulations.
A draft version of the new regulation would require organisations to notify EU regulatory authorities within 24 hours of a data breach, even if the breach occurs in a third party cloud service. The problem arises from the fact that many cloud providers expressly put the responsibility on the customer to detect breaches and this can be a neigh on impossible task.
“Some existing regulations including the UK General Data Protection Regulation and France Data Protection Act allow organisations to circumvent breach notification requirements if data is made inaccessible to third parties using encryption. Unfortunately, only 1.2 percent of cloud providers today provide the tenant-managed encryption keys required to do so.
Existing European data privacy laws also require that organisations take steps to protect personal information. For instance, the France data protection authority CNIL recommends strong passwords, secure workstations, network security, and information security training. The challenge is that not all cloud providers offer tools to secure data natively. In fact, only 2.9 percent of cloud services enforce secure passwords. A higher number (7.2 percent) support SAML integration with single sign-on providers such as Okta, OneLogin, and Ping Identity.