Cloud computing and SaaS are proven to support business flexibility and growth. From automatic software updates, increased productivity through collaboration and document version control and accessibility through an internet connection, cloud services help organizations improve ops and create competitive advantage.
With so much user data processed through cloud services, securing and masking that data falls on SaaS vendors. The upcoming privacy requirements prescribed by the EU General Data Protection Regulation (GDPR) sets new regulations that define data privacy.
Starting next year (May 2018), the European Union will implement its newly revamped set of principles and articles. These GDPR requirements apply to any organization doing business in the EU or any organization that processes personal data originating in the EU – be it the data of residents or visitors. These requirements are changing the way the world views privacy. In this post we’ll take a look at how the GDPR affects cloud services and new opportunities in the job market.
Does the GDPR Apply to You?
According to an article in Forbes, if you are doing any of the following business activities, you’ll need to comply with the GDPR by next May.
- Selling goods or services to EU citizens
- Operating a website that uses cookies and similar technology to monitor people and traffic which could originate from the EU
- Employing any residents of the EU
- Collecting any data that may include information about EU citizens
It can be confusing when dealing with the borderless nature of the internet. Many companies will undoubtedly question if the GDPR affects them or not. It’s simple: Organizations of any size in any country that process anyone’s data – if that data originated in the EU – is subject to the GDPR.
Managing Data Across Borders
The starting point for GDPR compliance is data discovery and data classification. This is especially critical for companies using SaaS apps.
Data Discovery
As we mentioned earlier, large organizations may not have a complete inventory of all the databases in their private cloud and the public cloud services they use. As a result, privacy data may go unnoticed in their data discovery exercise. Discovery scanning will allow organizations to conduct a more effective inventory of their data.
Data Classification
The second component after data collection is to identify privacy data within this data. The GDPR is not interested in non-privacy related data. It focuses on the sensitive personal and privileged information relating to people or personal identifiable information (PII).
Security Professionals Say Companies are Aware of the GDPR, but not Prepared
So how are organizations preparing for this change? Recently, Imperva asked 170 security professionals to determine how companies were reacting to the upcoming EU security restrictions. Of the people polled, 51 percent said the GDPR would impact their company in some way. At the same time, only 43 percent of them said they are working on changes to accommodate the new guidelines.
Companies should evaluate the impact the GDPR will have on their data practices. The fines are steep. Violators will be charged €20 million ($23.7 million) or four percent of global revenue. – Terry Ray, Chief Product Stategist, Imperva
Having a Plan in Place
Even though the GDPR enforcement doesn’t begin until May 2018, there are three things internet organizations can do right now.
- Create a plan that includes data inventory, procedures, data flow and notification processes
- Verify your systems can provide data analysis, data protection and data transfer options
- Drive your plan forward with compliance audits, status reporting, improvements all supported by improved policies and procedures
GDPR and the Job Market
The GDPR also opens new opportunities for tech professionals. Article 37 of the GDPR requires organizations to hire a data protection officer to ensure that an organization’s core activities are regularly and systematically monitored on a large scale.
According to a report from the International Association of Privacy Professionals, at least 28,000 DPOs will be needed in Europe and the U.S. alone. Additionally, as many as 75,000 DPO positions will be created around the globe in response to the new guidelines.
The responsibilities of a DPO cover the following areas of data privacy and data security:
- Data retention
- Data anonymization and pseudonymization
- Security risk assessment of current business practices involving personal data
- Privacy impact assessment of new products, platform, services or processes, vendor assessments and audits
- IoT and breach management
Imperva conducted a survey of IT security professionals at the recent Infosecurity Europe event. Of the 310 respondents, 79 percent acknowledged that their organization is already preparing to meet the GDPR, and 67 percent already had a DPO on staff.
This means 21 percent of organizations aren’t presently working toward GDPR compliance, and 22 percent that haven’t yet hired a DPO. Most surprising was that 52 percent weren’t planning to hire a DPO until the second half of 2018 or after – after GDPR enforcement commences.
We also analyzed online job listings to look at hiring trends in advance of the GDPR. In our analysis of a prefiltered subset of over 18K Indeed.com job postings from 32 countries, nearly 5.8K matched the search terms GDPR, DPO, data protection or data privacy.
We learned that DPOs aren’t the only GDPR-related position that organizations are looking to fill.
Key Findings From Our Research:
- There will be a growing demand to fill DPO openings, especially contract positions.
- In second place behind the UK, the US has the most job listings – ahead of all European countries.
- DPO recruitment will likely accelerate later this year and on into next as the enforcement deadline fast approaches.
- Being especially true for positions, there is a growing expectation of IT and business staff to take on increased data privacy and protection responsibilities.
- With the focus on hiring information security, compliance and IT staff to support the GDPR regulation, technology capabilities – such as data and records management, process automation and impact assessment tools – become essential to achieving compliance.
- Our survey revealed that 55 percent of respondents expect AI or machine learning solutions to support DPO efforts in three to five years from now.
The report states that we’ll see a significant increase in security and privacy measures before the GDPR regulations kick in next year. Ultimately, data and records management, process automation and impact assessments tools will become essential to achieving compliance.
There’s a lot of information and processes to absorb (and implement) before next May. The upcoming GDPR will have a broad impact on global data and privacy issues. Make sure your SaaS network is included in your efforts to prepare for compliance.
Try Imperva for Free
Protect your business for 30 days on Imperva.