GDPR, cloud and the concerns, issues and needs of IT decision-makers

A look at the General Data Protection Regulation (GDPR), cloud and IT decision-makers. Are IT decision-makers asking the right GDPR cloud questions, what are their GDPR cloud concerns, how do they (intend) to address them and do they feel supported enough in their compliance efforts? And at the same time yet another call-to-action as companies keep failing to grasp the essence of the GDPR text.

As the GDPR is a lot about consent or other legal grounds for lawful processing, about data subject rights, privacy and putting back the control of personal data in the hands of people, in general it clearly requires a risk perspective approach (meaning: the risks from the view of the data subject’s personal data protection, not your company’s risks, there is a difference) in a strategic, planned and holistic way, obviously technologies are involved. Technologies are part of the risks and challenges to address and part of the solutions in many GDPR compliance efforts.

93% of companies are worried about the storage of their data in the cloud after the General Data Protection Regulation (GDPR) and 91% are concerned about how the new rules will affect cloud services (more below)

Among the technologies that are affected by the GDPR (and ePrivacy Regulation) we previously mentioned IoT (the Internet of Things, more about IoT, GDPR and ePrivacy here) and among the technologies that can help bring GDPR compliance closer we mentioned artificial intelligence. As GDPR information management and ECM expert Rick Gruijters explained in our interview on the strategic business and information management dimension of GDPR, artificial intelligence (AI) can help with metadata and retention schemes through automatic classification and metadata extraction and there is indeed a growing attention for AI in the overall GDPR picture.

Of course many technologies stand on both sides: as risks and as enablers to prevent risks or solve issues regarding the rights which data subjects have under the GDPR. Even more ‘recent’ technologies such as blockchain have been cited as ways to achieve GDPR compliance. As it is still very early days with regards to the latter, let’s take a look at the technologies that do cause concerns and headaches from a GDPR perspective in many organizations, starting with the cloud.

GDPR cloud and IT decision-makers

Cloud and GDPR: combining one of the backbones of the digital economy and changing regulations in the digital economy

It’s pretty inevitable to start with GDPR and cloud as cloud computing is adopted in such high degrees and is still the foundation for many digital transformation initiatives.

With big data analytics, mobile and social, cloud is still the foundation of the third platform upon which all those innovation accelerators are added, enabling digital transformation overall and the transformation of industrial markets, increasingly known as Industry  4.0.

In general, the cloud (SaaS, IaaS, PaaS,…), cloud applications and particular cloud solutions (file sharing, cloud storage etc) have caused concern. This is logical. After all, the public cloud and hybrid cloud models by definition involve workloads and information that are not on-premises but distributed, managed and processed across hardware, software and networks/systems of third parties.

Being as GDPR compliant as possible is an overall effort that requires collaboration, corporate support, clear strategies and looking at several things with several people in several stages as it’s a strategic business issue

It is clear that mainly with public cloud and cloud applications which directly – can – touch personal data (as many tend to do, just think CRM, marketing automation, collaboration tools, and pretty much all marketing technology) there have been quite some concerns. Several cloud companies announced that their cloud solutions would be ready for GDPR. As we wrote before, Microsoft was one of the first, albeit still rather late, to say its enterprise cloud services would be ‘ready for GDPR’.

In general cloud companies and cloud application providers were pretty late to tackle GDPR.

This is certainly the case for applications in particular areas where since the Summer of 2017 there has been an increase of announcements regarding new datacenters in the EU, ISO certifications and much more. Better late than never one would guess – especially with the high GDPR fines in mind.

Concerns regarding GDPR and cloud – the facts

Still, concerns regarding the cloud remain. According to research on behalf of cloud solution provider Calligo, announced on October 24th, 2017 (more here, PDF opens), a whopping 93 percent of companies is concerned with data storage in the cloud after the GDPR.

Moreover, 91 percent of respondents are concerned about how GDPR rules will impact cloud services. Yet, the survey tells us more about just GDPR and cloud as you’ll read.

When it comes down  to cloud services 46% of respondents are concerned about the complexity of GDPR and only 15% cite privacy

The respondents weren’t exactly beginners: 500 IT decision-makers from companies with over 100 employees and £15 million turnover. Despite concerns about GDPR and cloud, only 26 percent of respondents said they picked a cloud provider because they trust its GDPR effectiveness. That makes GDPR effectiveness far less important than scalability, pretty much the essence of cloud, which mattered as a decision criterion for 41 percent of respondents.

But then the picture gets uglier and once more shows how even relatively large companies and IT decision-makers still haven’t put GDPR compliance (or at the very least coming as close to GDPR compliance as possible) at the top of their agenda.

Take this example on GDPR and cloud from the survey: when it comes down  to cloud services 46 percent of respondents are concerned about the complexity of GDPR and only 15 percent cite privacy. Fortunately security and breaches are more of a concern with 41 percent of respondents.

However only 14 percent states that concerns about meeting GDPR (and you can add ePrivacy to that) including their new rules for the handling, storing and processing of personal data are uppermost on their minds.

There is little point putting a ring of steel around data you should not have - quote Julian Box CEO of Calligo on GDPR and security from Calligo GDPR cloud survey

Looking at GDPR the right way: lessons from how IT decision-makers look at GDPR cloud concerns

What do the results of this survey on GDPR and cloud tell us? A lot.

It’s the perspective of the data subject that should matter

For starters, unfortunately it confirms once again what has been said so often: many seem to be looking at security, the prevention of breaches and the complexity of GDPR.

Yet, very few are really taking  the right precautions and are looking at GDPR in a more strategic and encompassing way whereby privacy and risks with regards to personal data protection should be looked upon from the perspective of the data subject: people and their risks and privacy, not just some security precautions. It is a totally wrong way to look at GDPR, also in the perspective of GDPR and cloud.

The fact that only 15 percent highlighted privacy in relation to cloud services is a saddening proof of this. Certainly when you look at the other mentioned data with regards to security, breaches and complexity.

Wrong cloud and GDPR concerns show GDPR misunderstanding

Secondly, as Calligo CEO Julian Box rightfully emphasizes there is a major discrepancy between the whopping percentages of respondents who have concerns with regards to GDPR and cloud on one hand and how these concerns are dealt with in practice.

Despite the severe penalties for infringing the GDPR, only 14% of responding IT decision-makers worries about meeting their obligations under the new privacy laws with the wideranging new rules for handling and storing data are uppermost on their minds

Moreover, the concerns are predominantly those you typically expect from people in IT who think in terms of security, breaches, implementation, complexity and so forth but as is clear from the first conclusion not the concerns of people who look at risks from the perspective of the data subject and his personal data.

Now, why is that important you might ask? Well, the first thing that will happen when a company is visited to check how GDPR compliant it is, will be to look at what steps have been taken. Awareness is a crucial stage as mentioned (understanding and education) in our GDPR guide. Looking at risks from the data subject’s perspective is another one. And having a clear plan to address those risks at all levels after a gap analysis, even if it still needs implementation is certainly also a token you did take needed steps.

What this survey on GDPR and cloud tells us is that there isn’t a plan, let alone understanding of these crucial aspects, let alone of the scope of the GDPR as such among a majority of responding IT decision-makers who play a crucial part in the first stage of GDPR awareness to begin with (or at least should).

It’s not as of respondents aren’t concerned about GDPR or GDPR and cloud, they just aren’t concerned about the right things and have a far too limited and fragmented view. Quoting Calligo CEO Julian Box: “While our research shows that companies are rightly concerned about how the GDPR will affect the cloud, it is apparent that many are not helping themselves. Although 89% claim to be very or quite clear about how GDPR will affect their organization, they don’t seem to be giving due weight to meeting these new privacy obligations.”

The obsession with security (alone) in GDPR preparations: “There is little point putting a ring of steel around data you shouldn’t have”

Yes, cloud is a GDPR concern on many levels and, yes, just as strategy, information management and a plan, cybersecurity and the prevention of data breaches is of the utmost importance.

On average 52% of respondents state that GDPR will not affect their use of cloud services

But then again: not being concerned about security and data breaches, regardless of GDPR, ePrivacy Regulation and the Privacy Shield, in these days where data and security are the essence to even conduct digital business, let alone digitally transform, is already unacceptable as such. For us this is once again proof that the GDPR has several benefits for businesses in a digital transformation economy. The problem, however, is that it will only benefit those that really get it and the closer we approach May 2018 the less convinced we get that the latter are in the majority to put it mildly.

Moreover, security is just part of the bigger GDPR picture, let alone the GDPR and cloud picture. Quoting Julian Box again: “Of course, security is a huge concern, but it is only one part of the GDPR jigsaw that all organizations storing personal data of EU citizens have to have in place before the enforcement deadline on 25th May next year. There is little point putting a ring of steel around data you shouldn’t have.”

A clear statement that many still don’t seem to understand.

We do hope that this message, certainly in this stage, comes across as we’ve been hoping since 2015 but in the meantime it has become pretty clear that organizations simply won’t be ready for GDPR with some exceptions and as far as full compliance is even achievable.

From the GDPR and cloud perspective a few more takeaways from the survey results while we remain baffled about how poor understanding and readiness for GDPR everywhere still is (far from just in this survey):

  • On average 52 percent of respondents state that GDPR will not affect their use of cloud services.
  • 49 percent of respondents say that continuing doubts on the Privacy Shield will affect their use of hyperscale cloud.
  • And, we like to repeat it, the effectiveness of a cloud provider with regards to GDPR is not a major criterion for IT decision-makers in their choice of such a provider.

GDPR compliance is a strategic group effort – don’t blame “the IT-decision maker”

Obviously it’s not that IT decision-makers aren’t smart. Moreover, there isn’t such a thing as “the IT decision-maker”. They are people and some have other concerns, challenges, viewpoints, mandates, skills and whatnot than others, just as is the case in any job. The survey is about averages and doesn’t look at the ”why”.

Only 31% of IT decision-makers said they had governance sponsorship for GDPR at board level, while just 9% said their compliance departments were giving them
full support

The issue is of course far broader. To put it simply: 1) GDPR isn’t taken seriously enough yet, 2) many companies simply are still in the awareness stage or not even there (and there are those who do tell us they couldn’t care less as well), 3) being as GDPR compliant as possible is an overall effort that requires collaboration, corporate support, clear strategies and looking at several things with several people and 4) as mentioned before it’s a strategic business issue.

In the Summer of 2017, Callido came up with another survey which gives answers to some of the “why’s” and are typical for many organizations, even in this stage. The survey showed that 69 percent of board-level executives were neglecting to ensure the UK businesses they run would comply with the General Data Protection Regulation and that IT decision-makers essentially had little governance sponsorship for GDPR at board level (31 percent of responding IT decision-makers) and even less (9 percent) said their compliance departments were giving them full support. There also seemed to be a minority of respondents with an appointed Data Protection Officer. More about that survey in the press release here (PDF opens).

You can read all the findings from the cloud GDPR survey tackled here in the press release (PDF opens) and download a whitepaper from Calligo on GDPR on https://calligo.cloud/gdpr/ebook

Of course there is more to be said about cloud and GDPR and this survey isn’t the only one. Stay tuned for more and for more articles about technologies in the scope of GDPR as well.

Next in regulations and compliance: EU DORA Digital Operational Resilience Act

Top image: Shutterstock – Copyright: artjazz – All other images are the property of their respective mentioned owners. Although the content of this article is thoroughly checked we are not liable for potential mistakes and advice you to seek assistance in preparing for GDPR.