The impending introduction of the European General Data Protection Regulation (GDPR) should be a wake-up call for businesses to pay closer attention to their data handling practices and cloud service contracts, The Bunker warns today. With two years to go until full implementation, now is the time for businesses to take control of their data.
The GDPR formally passed on 14 April this year, having first been introduced in 2012 as part of the European Commission’s Digital Single Market Strategy. Designed to better protect citizens’ data and harmonise legislation across the EU, the GDPR brings with it a raft of new guidelines and requirements for controllers and processors of Personally Identifiable Information (PII). Those data handlers that fall foul of these new requirements will be liable for severe fines, of up to 4 per cent of annual turnover or ?15.8million.
Although the legislation has passed, businesses operating within the EU have until the middle of 2018 to implement the required changes, having been granted a two-year grace period.
According to Phil Bindley, CTO of The Bunker, businesses should use this grace period to reassess their hosting arrangements and partners’ capabilities to ensure that they are able to meet the GDPR’s requirements head on.
Phil commented: “The GDPR is, in many respects, a very welcome and well-meaning piece of legislation, but it does threaten to bring with it some real challenges for businesses when it comes to compliance. Under the revised regime, and unlike the previous legislative framework, both data controllers and data processors have potential liabilities. In short, that means that if a Cloud Service Provider (CSP) experiences a data breach, it is the data owner [the customer] that will bear the brunt of the exposure.
“This will make businesses think more about how they store their data – and rightly so. There will be nowhere to hide when it comes to data security. Businesses won’t simply be able to hand the responsibility for data protection over to a third party,” Phil continued.
“There is no turning back on cloud, so organisations will need to go in one of two directions. They can either boost in-house skills and experience to be able to control and monitor cloud providers more closely, or conduct more due diligence when appointing a CSP, to find one that can offer the required cyber resilience throughout the entire lifecycle of the contract. It’s critical that businesses can get a handle of where their data is, how it is stored and who has access to it. A failure to do that means running the risk of getting hauled in front of the Information Commissioner’s Office and a hefty fine to boot!” he concluded.