Posted: 4 Min ReadProduct Insights

What GDPR Will Mean for Cloud Apps

When it comes to gathering and protecting personal data from cloud apps, your job just took on a major set of new responsibilities

The Global Data Protection Regulation (GDPR) deadline is here. If you’re using cloud apps like Microsoft Office 365, Google G Suite, Salesforce, Workday, Slack, etc., there are a few things you need to know - and a few things you should probably do.

The GDPR is a new European data privacy law. At its core, GDPR is a directive aimed at protecting personal data for EU subjects; it describes what constitutes personal data and sets requirements for organizations that control and process personal data. Here’s a quick guide to understand what is considered personal data, your role as a “data controller” and/or a “data processor”, and how you can use a cloud access security broker (CASB) to help fulfill critical GDPR compliance requirements.

What is Considered Personal Data?

The GDPR defines personal data very broadly. Beyond the data types we are used to seeing in data privacy regulations such as names, addresses, phone numbers, health data, and financial data; the GDPR covers any data that can be associated with or used to identify a specific natural person. This includes data such as IP addresses, cookies, RF tags, or any set of data that could be broken down to identify an individual (such as reference to a characteristic of a person in an identifiable group where there is only one person with that characteristic).   

What is a Data Controller?

A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. An entity may or may not be collecting the personal data themselves but if they are making the decisions for how personal data on natural EU subjects is being processed, they are the data controller.

What is a Data Processor?

A data processor is a natural or legal person, public authority, agency or other body responsible for processing personal data on behalf of a data controller. Most data controllers are also processing the data they control via their own internal systems. However, in today’s cloud world, it is increasingly common for organizations to be using SaaS, PaaS, or IaaS to help with business processes.

Are you using Office 365 or Salesforce or Workday or Amazon Web Services? These are all data processors. How about cloud email or instant messaging? Are your employees using cloud services to convert files from one type to another or to send extra-large files to colleagues? These are also data processors. Even if this is simply an entity that provides a platform where systems containing personal data can be hosted or personal data is temporarily held (be it storage, file sharing, file conversion, translation, email, formatting, or other activity), that cloud app provider is a data processor.  

Who is Responsible for What?

A data controller is responsible for complying with the GDPR principles of lawfulness, fairness and transparency, data minimization, accuracy, storage limitation and integrity, and confidentiality of personal data. 

A data controller is also responsible for ensuring that data is processed according to the principles of the regulation. So, if you are the data controller, you are responsible for making sure you are using responsible and compliant data processors – whether that processor is yourself or a third-party cloud service.  

You are responsible for securing any personal data you control that applies to EU subjects no matter where you or your data processors are geographically located. You must also demonstrate that you have implemented appropriate processes and technical measures to comply with the GDPR.
 

What to Do

There is a lot to unpack within the GDPR but in the context of using cloud apps, it boils down to two things; ensure you are using cloud apps that can be compliant with GDPR and enforce data security to protect personal data when you are using cloud apps.

A CASB, such as Symantec’s CloudSOC, can help you achieve both of these things very quickly.

Step 1: Analyze and Control What Cloud Apps You Use

Discover what cloud apps are being used by your employees. Identify if these apps are GDPR-compliant. Monitor how you are using these apps.

A good CASB Audit service can discover what cloud apps are being used by your local and remote employees and it will provide risk ratings and intelligence on risk attributes for those cloud apps.  With this intelligence, you can easily identify what apps to use and what apps to restrict. Plus, you will be able to demonstrate that you monitor your cloud app data processors with automated reports and intuitive dashboards. Hint: Most enterprises discover that their employees are using more than 1,000 different clouds apps and most of these apps are not GDPR ready.

Step 2: Secure and Control Personal Data in Cloud Apps

Detect and monitor any personal data processed in cloud apps. Track where it is and identify if it is at risk of exposure.  Automate controls to protect that personal data. Prevent it from being processed on non-compliant apps. If you allow it to be processed in a cloud app, limit who can access that data. Consider encrypting the data. 

A good CASB will enforce data loss prevention (DLP) and data security over personal data in cloud apps. It can automatically scan content and classify it if it contains personal data. It will track where the data is stored, who has access to that data, and if it is at risk of exposure. It can help prevent unsafe uploads, downloads, or access to personal data through automated policies.  It provides reports and dashboards so you can demonstrate the measures you take to protect personal data in the cloud.

If you found this information useful, you may also enjoy:

About the Author

Deena Thomchick

Sr Director Product Mgmt, Cloud Security

Deena is a 25 year technology veteran and security enthusiast, a senior member of the Symantec CASB product group. In addition to her current focus on cloud security, her background includes work on encryption, ATP, network security and endpoint security.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.