A classic digitalization strategy is to move IT systems and data into the cloud
But the protection of personal data must also be given top priority in digitisation. Especially in cloud projects it is essential to know and comply with laws, regulations, industry standards and internal company processes - in short the compliance requirements. In addition to stricter compliance requirements, new risk scenarios and threats, shifts in security perimeters, and new ways to increase security are among the challenges that this transformation process entails.
GDPR: focusing on data protection
No enterprise today can afford a data protection Waterloo! One of the most important recent developments in data protection is the new EU General Data Protection Regulation (GDPR) which became effective in May 2018. As a result, it has become even more important to anticipate the impacts of legislative changes in advance of any new IT project. If this does not happen, a cloud project stands on feet of clay. There are also industry requirements such as Finma and PCI-DSS in the financial sector and HIPAA in the health sector to consider.
Data protection tools
An essential tool when it comes to data protection and data security is data categorization. To do this, you need to know which data is to be processed in the cloud and whether it is subject to certain compliance requirements. Appropriate protection mechanisms must be put in place for sensitive personal data to ensure compliance with the stringent provisions of the GDPR.
Access to data in the cloud from any location and with any mobile device is standard procedure for information workers. This puts them in an insecure zone that isn’t covered by classic security principles. So, you have to ensure that only authorized persons have access to data. You’ll also need a comprehensive identity and access management (IAM) system to guarantee confidentiality, data integrity and compliance.
Alongside the physical mechanisms of identity and access management, data encryption is the most important technical security mechanism. A cloud provider offering no encryption should not have any clients in this day and age. Anonymization can be an additional option in a protected data environment that helps to reduce data sensitivity.
Cloud governance should extend to cloud providers
By hiring a cloud provider, a company delegates most of the protocol and monitoring tasks. But these also need to be supervised. Claims for damages can only be asserted if failures can be proven. Without its own verification mechanisms, this proof is difficult to obtain, and corresponding cloud governance tasks and processes must be established.
Only if you take into account all current privacy and security issues, as well as all previously announced legislative changes, when planning, developing and implementing your cloud project will it be on a solid, secure footing.
A good planning is a battle half won
The Internet of Things and big data applications create huge amounts of data in the cloud, often containing highly confidential and valuable data. This data also does not stop at national borders: it can be collected in Germany, stored in the USA and processed in India. It must be ensured that the data is not manipulated, deleted or, in the worst case, rendered inaccessible by unauthorized persons. Data protection and data security must therefore be central aspects of the digitalization strategy. The idea of the Basic Data Protection Regulation calls for data protection to be taken into account in new IT projects, and this also applies to the cloud. Because only if all current data protection and security aspects as well as all previously announced changes in the law are taken into account in the planning, development and implementation of a cloud project will it be on a solid, secure footing.
Effective customer data protection with Trivadis
Trivadis provides security assessments and audits which involve an assessment of your databases for GDPR conformity – irrespective of whether the data is in the cloud or on the premises. Our experts perform privacy impact analyses. They check whether your data and data collection processes are subject to the GDPR and which regulations apply to your data. We support enterprises in selecting a cloud provider that guarantees compliance with all the relevant laws and regulations.
Trivadis has extensive experience in data-sensitive sectors such as life sciences, automotive and financial services, and it understands your company’s data privacy requirements in the cloud. Allow your company to benefit from Trivadis’ long-standing experience as cloud pioneer and from its expertise in hundreds of cloud projects.