GDPR: How Can We deliver Data Privacy by Design in the Cloud Age?

Public Cloud Storage vs Data Privacy Concerns

Cloud storage is transforming enterprise IT, enabling big cost savings and unprecedented abilities to collaborate and share data globally. However, alongside the rise of public cloud storage is an increased focus – especially here in Europe – on the need to ensure personal data is kept private. The new European General Data Protection Regulations (GDPR) soon to come into force (May 2018) have many enterprises searching for answers to this apparent conundrum: leveraging public cloud whilst keeping data secure and private.

What is in the GDPR?

Well for a start there are some serious penalties. The GDPR will replace national legislation, such as the UK Data Protection Act (DPA) and equivalents in other European nations. It’s worth noting too that on present indications, most European legislation such as GDPR will be automatically incorporated into UK law when this nation leaves the EU – so Brexit won’t get us off the hook! Under GDPR, penalties will be much tougher than under national legislation such as DPA. The maximum that a company in breach of the rules could be fined is 4% of their annual global turnover, or €20m (£17.6m, $22.3m): this could apply in case of the most serious violations of core GDPR concepts such as “Privacy by Design.”

“Privacy by Design” requirements

Privacy by design as a concept has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. At its core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. More specifically – ‘The controller shall… implement appropriate technical and organisational measures… in an effective way… in order to meet the requirements of this Regulation and protect the rights of data subjects’. Article 23 of the GDPR calls for data controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing.

GDPR includes specific suggestions for what kinds of security actions might be considered “appropriate to the risk,” including:

  • The encryption of personal data.
  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data.
  • The ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident.

How can data be kept Private in the Public cloud?

The problem is that data stored in the public cloud could – in theory – be accessed by anyone, including the vendor of the cloud storage service, thus breaching the GDPR requirement to keep data private “by design.” Even if the data is encrypted after it is saved in the cloud storage platform, it could still be accessed because no matter how good the encryption scheme itself, if the encryption keys are also stored in the cloud then an enterprising technician could readily decrypt that data, and so the data cannot be guaranteed to be kept private.

In the past, we were able to rely on the concept of the “Safe Harbour” data protection agreement with the US. Under Safe Harbour, US cloud vendors such as Microsoft, Google and Amazon could “self-certify” that they would essentially keep data private to the standards required in the EU. However, this was ruled invalid by the ECJ in 2015 due, in part, to the conflict between EU legislation and US laws such as the USA PATRIOT Act which requires that such vendors decrypt and hand over data in their control to Federal authorities if asked.

Customer-controlled encryption is the Key!

The answer to this conundrum is to ensure that data to be stored in the public cloud is encrypted before it leaves the corporate IT security perimeter. Solutions are available, such as Nasuni, which take care of this automatically using encryption keys which are controlled by customers. Look for solutions that can fully automate the handling of customer-owned encryption keys whilst ensuring that users of a cloud-scale global file system are able to seamlessly access data stored in the public cloud.

A bit more about Nasuni. It securely leverages cloud resources as the scalable and redundant backend storage for its global file storage solution. In order to use this storage effectively, Nasuni has developed robust security that combines strong encryption with top-tier cloud storage providers, ensuring the security and privacy of its customers’ data. With Nasuni, organisations can securely protect and manage their data for multiple global locations from a single centralised location.

Coming back to GDPR, this means with a solution like Nasuni, you get Data Privacy by Design. Any personal data stored in the Nasuni global file system is encrypted before transmission to the cloud, no matter where on earth it originates. This enables IT organisations to keep that data private and confidential despite being stored in public cloud infrastructure.

In addition, Nasuni builds in robust data protection without the need for a separate file backup system, through built-in continuous file versioning. This addresses the GDPR requirement to be able to restore availability and access to data in a timely manner despite physical or technical outages locally.

So, if you’re looking for ways to reduce the cost of file storage and move from on-prem to the cloud without compromising GDPR compliance, take a look at Nasuni. For more information about the Nasuni security model, download the whitepaper.