Since 2015 there has been a remarkable increase in the use of cloud based solutions, such as cloud backup, email, project management tools and virtual desktops. In a study conducted by Ponemon Institute, they found on an average modern days businesses are using 27 cloud based applications. – 2018 Global Cloud Data Security Study

As per the study cloud data security ranked at #5 out of the 9 criteria of what businesses look for before selecting a particular cloud based solutions. Efficiency and Cost were placed as 1st two criterias, which seems to be a fair while considering a solution for your business. But in the current digital age it is moreover important to factor in security along with these top criteria.

Let me take you through a scenario where a business chooses a low cost unsecured cloud based solutions.

Consider the data that you are going to store on your cloud based solution. According to the Ponemon study, primary types of data stored in the cloud are customer information (59%), email (49%), consumer data (47%), employee records (38%) and payment information (39%).

Say you have opted for a solution and the above mentioned data has been stored on to the cloud.

As per the Office of the Privacy Commissioner of Canada (OPC), the data you saved, travels over the Internet and gets stored in remote locations. In addition, cloud providers often serve multiple customers simultaneously. All of this may raise the scale of exposure to possible breaches, both accidental and deliberate.

In case of a cyber attack, the unsecure cloud will not be able to prevent you from stopping or avoiding the breach. The trust your customers and employees had is now hampered, which might result in big loss to the business.

Apart from this, the business failed to follow the Government Regulations. Under Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private sector privacy legislation, an organization that collects personal information is accountable for the data collected even when such data is outsourced for processing to third-party providers – an example of which is a cloud provider. Under the Digital Privacy Act, a law that amended PIPEDA (still not in force in the absence of “Regulations”) states that organizations could face fines of up to $100,000 for failing to inform the affected individuals and the Privacy Commissioner about data breach.

Another law that demands cloud data security is the General Data Protection Regulation (GDPR) – a European Union (EU) law that’s set to be implemented this coming May 25th. While GDPR is mainly an EU law, it has an “extra-territorial” scope, which means that even if your organization isn’t based in the EU, your organization is still covered under this law if your organization processes personal data of EU residents. The maximum fine under GDPR is 4% of the annual global turnover or €20 million, whichever is higher.

At GigE, we understand that most of the businesses might not have the expertise to select the right cloud based solution for their needs. That’s where our experienced IT professionals can help businesses. Call +1 (888) 366-4443 today to find which cloud based solution is the best for your type of business.

The European Union (EU) law General Data Protection Regulation (GDPR) will be enforced on May 25, 2018. GDPR being is an EU law, will be effective beyond EU’s physical borders as it is also applicable to organizations based outside the EU that either process personal data of staff or customers based in the EU or provide services to EU customers on behalf of another company.

“Any information relating to an identified or identifiable natural person” – of EU residents has to be secured irrespective of the size of the firm. Even SMEs are expected to make appropriate adjustments on their end. A risk-based approach is required in this scenario, higher the risk, the more rigorous the Information Security measures.

In a white-paper “Guidelines for SMEs on the security of personal data processing” published by ENISA (European Union Agency for Network and Information Security), said “The GDPR provisions for a risk based approach is horizontal as there are not exemptions or light weight approaches based on the organization size, availability of resources and capabilities”.

Similar to large enterprises, SMEs, therefore, have to identify the level of risk of personal data of EU residents, taking into consideration the nature, scope, type, volume and context of data processing and pro-actively implement security measures corresponding to the level of risk presented.

^[1]Article 32 “Security of processing” of GDPR states:

1. “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: : (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data; (c) the ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”
2. “The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.”^[1]

Any organization(s) found to be failing to GDPR compliance may get a fine worth €20M or 4% of annual global revenue, whichever is higher.

At GigE, we offer Information Security solutions that are compliant with local and international standards and regulations. If you just want to know if you are compliant with GDPR, we can perform audits for you. Call +1-888-366-4443 to get in touch with us to see how we can help you be prepared!

Resources:

[1] PrivazyPlan®: http://www.privacy-regulation.eu/en/article-32-security-of-processing-GDPR.htm

^[1]“The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union. EU adopted GDPR on 27 April 2016. It becomes enforceable from 25 May 2018, after a two-year transition period. Primarily GDPR aims to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.”^[1]

Wondering why it is important to your business which is outside EU? Well, it does affect if a business has a presence in EU but also those businesses based outside the EU that are processing personal data of EU residents. Under GDPR, businesses cannot hide data breaches any more. This law makes it mandatory to notify that data breach happened within 72 hours after it’s discovery. Failure to do so may result in a fine worth €20M or 4% of annual global revenue, whichever is higher.

Article 25, #2 of EU GDPR: “Data protection by design and by default” states

^[2]“The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.”^[2]

GigE has been helping its client to be compliant with Canada’s Digital Privacy Act. With the GDPR implementation date nearing, we ready to make your business compliant with European Union’s General Data Protection Regulation too. GigE can help, your business to implement the EU GDPR. If you just want to know if you are compliant with GDPR, we can perform audits for the same.

Call +1-888-366-4443 to get in touch with us to see how we can help you be prepared!

 

Resources:

[1] Wikipedia: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation

[2] PrivazyPlan®: http://www.privacy-regulation.eu/en/25.htm