Cloud-based apps – are they GDPR compliant? 6 Steps to achieving this.
1st May 2018
In just over 3 weeks time, the European Union's General Data Protection Regulation, commonly known as GDPR, will come into effect, not only in Europe but globally. On the 25th May, the legislation – designed to protect the consumer’s data – will become law.
If you do business anywhere in the world and collect personally identifiable information (PII) on an EU citizen, you will be subject to GDPR regulations. If you do not adhere to these, fines will be levied based on your company turnover.
By now, most businesses have read up on the basic rules around data privacy and protection and taken action. But what are the implications for cloud-based apps such as Salesforce, Concur, SuccessFactors, Dropbox, WeTransfer, and more?
Many businesses use and depend on these apps without the guidance or involvement from their IT provider as they are considered only ‘apps’ rather than IT. According to one report from Netskope in 2015, the average European enterprise is using 608 cloud apps, but despite businesses starting to understand the importance of professional IT Support, this figure is usually underestimated by about 90 percent.
Most of the apps used will contain customer data of some form, so they must still be compliant under GDPR. How can this happen if the business is not aware of 90% of the cloud-based apps it’s employees are using?
Simplify and consolidate.
The first step is to undertake a full audit of the apps in use in your business across all employees and understand which are business critical and where there is overlapping functionality. Remove those that are not needed.
Assess the security of the apps
You need to know which apps meet your security standards, and either block or introduce restrictions of use for those that do not. Take adequate security measures to protect personal data from loss, alteration, or unauthorised processing.
Know the location where cloud apps are processing or storing data.
Once you know which apps are in use, it is important to understand where the providers are hosting your data. The app vendor’s headquarters are seldom where your data is stored so you may need to contact them with a formal request – they may even move the data around between data centres.
Introduce data processing agreements setting out the terms of data collection.
For the apps that have been sanctioned, set up a data processing agreement with the providers to ensure that they are adhering to the data privacy protection requirements set out in the GDPR.
Within this agreement, specify that only the personal data needed to perform the app’s function are collected by the app from your business and nothing more, and make sure that there are limits on the collection of “special” data, which are defined as those revealing things like race, ethnicity, political conviction, religion, and more.
Don’t allow cloud apps share personal data.
Through your data processing agreement, state clearly in their terms that the customer (i.e. your business) owns the data and that the provider (them) must not share the data with third parties.
Ensure that the data will be erased when you stop using the app.
Check the terms of the app and make sure that you can download your own data immediately, and that the app will delete your data from their servers if you terminate the service. For additional security, find out how long this process takes – the more immediate (in less than a week), the better, as lingering data carry a higher risk of exposure.
Professional help and guidance with GDPR
Understanding and implementing the relevant policies, guidelines and infrastructure to make sure your business is GDPR compliance can be a time consuming and complicated process as the legislation affects so many areas of an organisation.
Seeking professional IT help and support can take the stress out of the situation - commissioning a full GDPR audit could give you peace of mind that your business is fully compliant.
Get in touch now to talk to us about how we can help.