Not ready for GDPR to go into effect next month? There's some good news and some bad news.
The bad news: The European Union regulation has enough teeth to cripple a small or midsize organization for noncompliance. The good news, or perhaps the less-bad news: If you're not ready, you're far from alone.
Cloud providers say their platforms are prepared for the General Data Protection Regulation (GDPR) compliance requirements, but that doesn't absolve users of their own responsibility under a regulation that will affect virtually any U.S. company with a presence in Europe. Many remain uncertain about compliance with the rules that go into effect May 28, and the sizeable costs to get in line with these rules could force substantial changes to companies' cloud architectures.
GDPR, which was approved by the European Union Parliament, covers all EU citizens and people whose data is stored in the EU, regardless of whether the company that collects the data is based in Europe. If a company detects a serious breach, it is required to notify affected individuals and regulators within 72 hours. It also expands the parameters of personally identifiable user information and raises the bar for companies to process that information. Failure to comply risks fines of up to 20 million euros or 4% of annual global revenue.
Major U.S. cloud vendors have prepared for this regulatory shift for years. With explosive growth in new regions across Europe and elsewhere to meet data residency requirements, vendors have added products for encryption and key management to secure sensitive data. For them, achieving GDPR readiness is more of a step forward than a giant leap, as they've already received the seal of approval for dozens of existing compliance standards, including the various System and Organization Controls and International Organization for Standardization programs.
Perhaps most relevant to GDPR compliance requirements has been increased transparency into these platforms. AWS led the way with tools to tag resources, and others have more recently followed suit. These capabilities can be critical for companies that built applications on these platforms and must show regulators an audit trail for their customers' data.
However, some of the details of GDPR rules and responsibilities must still be hashed out, according to Daniele Catteddu, CTO for the Cloud Security Alliance, a nonprofit advocate for cloud security best practices. A survey released this month by the alliance, which counts AWS and Microsoft among its members, found 83% of companies said they do not feel very prepared for GDPR, 31% have a well-defined plan for compliance, and more than 10% lack any defined GDPR plan.
GDPR compliance requirements heavily emphasize corporate responsibility. And while companies are eager to be in compliance, a large backlog of contractual clauses must be reviewed and potentially updated once a general code of conduct is established for compliance, Catteddu said.
"I don't think any, or at least very few, companies are going to be ready," he said.
GDPR readiness isn't cheap
Besides the confusion about how audits will be handled and lack of clarity around responsibilities, companies are least prepared for the cost of GDPR compliance requirements.
Many companies, although aware of the pending regulations, have been slow to prepare and shocked by the price tag, said David Linthicum, chief cloud strategy officer at Deloitte Digital. Besides additional tooling to track resources and control changes, companies may need to plug several staffing gaps, such as designated workers to oversee the data that comes in, track the operations and personally identifiable information, and communicate with regulators to validate adherence to the requirements.
"What needs to be done is going to be very labor-intensive ... [and] very costly for a company doing business in Europe," Linthicum said.
Deloitte estimated companies that do business in the EU will pay an additional 10% to 15% in compliance costs under GDPR. For the Global 2000, the EU is too huge a market to leave, but some smaller companies may abandon the market or anonymize users' data to avoid collecting any personally identifiable information, Linthicum said. He said he's also watching to see if the EU backs down on the requirements to make it cheaper, of if they'll stand pat regardless of the outcomes if businesses pull out of the EU.
Steps to prepare for GDPR compliance
The first step to ensure GDPR compliance is a risk assessment of cloud environments against GDPR. That's nothing new for IT shops in highly regulated industries, but a mandate that could be foreign to others, particularly PaaS and SaaS startups built on top of hyperscale clouds that quickly developed a global customer base.
Michael Johnsonsenior leader of technology consulting, Bridgepoint Consulting
"With these startup firms, it's a bit of the wild, Wild West," said Michael Johnson, senior leader of technology consulting at Bridgepoint Consulting in Austin, Texas. "They're moving really fast, and there's not a lot of controls and a little bit of cowboy environment."
Compliance with these frameworks necessitates not only structured controls, but a tone from senior management on down that cybersecurity is a critical initiative inside the company.
Companies should start with low-hanging fruit, such as limiting privileges and admin access. They should also go beyond the traditional practice of using emails and spreadsheets and institute auditable practices that are repeatable and scalable to gain a global view of the company's overall risk, said Dana Simberkoff, chief risk, privacy and information security officer at AvePoint, a Microsoft managed service provider in Jersey City, N.J.
Companies sometimes struggle to fully disclose data breaches in a timely manner because they lack visibility and certainty over the data they hold, and tagging resources will be critical to the audit trail for regulators' review, Simberkoff said. The "right to be forgotten" under GDPR is an example of the difficulty to comply with GDPR without those controls in place, he added.
"[Deleting data] seems easy, but it has to be erased everywhere -- all the backups, all the dev and test systems. Most organizations don't even know where that stuff is," Simberkoff said.
Most organizations have a decent set of controls, but they lack the evidence needed for a properly auditable environment, Johnson said. Getting to that point, both technically and culturally, can take years. That's not a good sign for companies that are late to GDPR -- but it's not the end of the world, because most everyone else is late, too.
"It's going to take a while for enforcement to start," Johnson said. "The key thing is to know where the gaps are and to be able to show you're fixing them."