An analysis of more than 20,000 cloud services shows that only 6 percent of them can sagely call themselves compliant to the General Data Regulation Protection which the EU implements.
The General Data Regulation Protection legislation is a law that will be put into action by the EU member countries by spring of 2018. This is a standardized data protection law, and at the moment this also includes the UK even though they recently voted to leave the EU in July.
The UK is expected to invoke Article 50, the law which signals a member states desire to leave the EU. The process of leaving the EU is expected to take at least two years once it starts, which means by the time the legislation is put into place, they would still be a member.
The GDPR is there to draw a line of distinction between the data controller and the data provider. The data controller is always the one with the primary responsibility in all cases. Under the GDPR, where a company stores data and uses it in the cloud, that same company will be the data controller and will be responsible for it under the GDPR.
The GDPR is also not concerned when it comes to the geographic location or nationality of the company as it states that as long as an EU member citizen is involved, then the law comes into play.
In this scenarios, it means that if there is any European’s data on the cloud then the company has to play by the GDPR. Nigel Hawthorn, chief European spokesperson for SkyHigh Networks said that the se of the GDPR meant that using cloud services out of the box was clearly out of the picture.
He said in no way were the standard terms and conditions which most cloud companies had been working with at the moment be more suitable in the case of the GDPR enforcement. He said that for most of the companies, they had to negotiate, review and reject some of their terms and conditions once the GDPR came into play.
In the analysis, Skyhigh noted that 84 percent of the cloud companies did not immediately delete data once they had terminated a contract with a client. If any of the data they did not terminate included European citizens personal information, then the firm is said to be in contradiction of GDPR. ThE analysis also showed that only 1 percent of the cloud companies provided security notifications within 24 hours. The GDPR requires the companies to provide notifications within 72 hours to the data controller.
Clearly cloud firms are going to have a tough time following the GDPR. The GDPR has fines in place for any violations of the regulation. Fines can be as high as €20 million or 4 percent of the global annual turnover of the company. However, regulators are also going to look at effort made by the companies in trying to follow the regulation, which means regulators will give lenient fines.