The modern economy is undeniably global. The world has been made smaller by the proliferation of applications, services, and, most importantly, data delivered and managed in the proverbial cloud. One could argue that the uprising known as the “Arab Spring” occurred as a direct result of cloud-based applications and the innate property of the cloud to disseminate information around the globe to people to whom it was not previously available.
Many a totalitarian government has attempted to stem the flow of information between the cloud and rebellious masses due to the fear that the free flow of information may instigate some similar insurrection. The old cliché “It’s a small world” aptly describes today’s cloud-interconnected society. Experience validates the notion that what happens elsewhere in the world eventually comes home to impact us all in some manner.
The General Data Protection Regulation (GDPR) is a legal construct that emanates from the EU and has already resulted in far-ranging implications for all producers, providers, and consumers of services delivered or maintained in the cloud. Though it has yet to go into effect, this system of regulations is sure to impact every provider, producer, and consumer of cloud-based infrastructure, products, services, and, most importantly, data in the years ahead.
The GDPR framework was designed to strengthen an EU citizen’s fundamental privacy rights in the digital age. This system of regulations is being studied far to the west of the European continent because of the clear and present impact that it may have on U.S.-based businesses, government entities, and security. The U.S. may eventually mimic this comprehensive privacy approach with application and infrastructure alterations and data protection requirements that have been heretofore unimagined. EU law does not directly apply to the U.S., but it should be understood that any set of regulations that affects the lives of every citizen of the EU will inevitably indirectly impact U.S. citizens and businesses as well.
Cloud Vendors Actions
The GDPR regulation is a direct result of the actions or, more accurately stated, inactions of the public cloud providers in the arenas of goods and services. To quote Robert Scott of the law firm Scott & Scott, LLP, of Southlake, Texas, “Big public clouds dodge all liability.” To this, we would add “and responsibility.” The public cloud providers in the U.S. have, to date, successfully avoided any structural accountability. Despite the movement in the U.S. toward more federalized control, the U.S. remains a very free and open society which, by default, allows all enterprises to grow and develop organically.
Often, this results in industries creating their own common practices and rules and even the most well-understood and strictly enforced bodies of law do not directly apply to, or even affect, new industries. The providers of public cloud infrastructure and services have taken the stance of dodging any and all liability whenever possible. What was good business to the cloud provider was not always in alignment with the best interests of the consumer. Eventually, the proverbial pendulum swings back. No longer will big public cloud providers be allowed to roam the skies free of accountability. The GDPR regulations are designed to give the consumer control of their data and allow the government to more effectively collect taxes.
My Data My Choice
The great majority of people living in the internet age have, at some point, wished that they could rescind some comment made on a social media system. Alternatively, it is often an unfortunate occurrence that a user will discover something about themselves on the cloud that they would want to be removed forever. The option to remove a user account, with all its contents permanently dissolved into the ether, is highly desirable.
A major premise of the GDPR is that of “my data, my choice.” Under the new rules, cloud providers would be required to provide the consumer more information on how their data is being processed. The consumer would also have the right to disappear. When the use of a particular service is no longer desired, the cloud provider would be obligated to delete that user’s data. In addition, the provider would be responsible to take reasonable steps to inform third parties of the requested withdrawal to facilitate the removal of all respective information. The only exception to this construct is the allowance that a service provider may provide “legitimate” reasons for the retention of the data.
The consumers of cloud services own much of the data and therefore often have the inherent right to data portability under the regulation. The cloud service provider would need to make it easier for a cloud service user to transfer the data if the user chose to work with a competing cloud provider. Also, the service providers would be obligated to notify each affected user of a data breach without delay. A few years ago, a major U.S. retail chain experienced a breach which affected millions of customers’ credit card data but neglected to notify customers for fear it would negatively impact holiday shopping. This behavior would no longer be tolerated and would now result in criminal liability and huge fines.
The GDPR substantially increases the level of responsibility and functionality for those providers of services delivered through the cloud that choose to maintain personal data for a fee. The avoidance of all liability and responsibility is no longer feasible or permissible.
Big Public Clouds Dodge Responsibility—No Longer
Under the GDPR, companies will likely need a data protection officer (the closest thing to this in the U.S. is a data privacy officer), whose job is to advise on GDPR regulations and monitor compliance to those regulations. That officer will also be required to keep detailed records of how information is processed.
When a data breach occurs, the firm will be responsible for reporting the breach in a timely manner. The actual meaning of “timely manner” is still being determined but will most likely be about 1 to 3 days from when the breach is first detected. The report will include a variety of categories of data affected such as the specifics on which records were touched and who was impacted. The penalties for non-compliance will be substantial. For not adhering to the regulation, a fine could be assessed as high as 2%–5% of a corporation’s global revenues.
Even if a business does not have a physical presence in the EU, if it collects data about EU citizens, the regulation will affect that provider. This will impact Facebook, Twitter, and any other social media application. Applications such as Airbnb or any other apartment-sharing applications, if they choose to operate within the boundaries of the EU, would also be subject to these onerous rules. As a result, all ecommerce sites should pay very special attention to this new regulatory system.
The GDPR constitutes good news for those infrastructure providers that possess strong security and compliance capabilities today. Those providers will be in the best position to support their customers who deploy products and services over the cloud.
As the cloud matures, the expectation of those who consume cloud products and services is also maturing. When a cloud provider is compensated, and therefore contracted, to delete personal information, they must fulfill that contract. It will become increasingly difficult for the infrastructure providers and producers of services in the cloud to dodge all liability and responsibility.
Corporations will be at risk if they use cloud providers that do not include strong security and compliance expertise as a major component of their portfolio. Risking 2% of global revenue is not a sound strategic approach for modern cloud IT. Eventually, the boardrooms of the cloud providers, as well as the companies that use those cloud-oriented services, will require the highest levels of security and compliance. Each board meeting will focus on how these organizations are addressing their customers’ data because the risks will outweigh the benefits of the previous attitudes of casual dismissal.
This article first appeared in the Summer issue of Big Data Quarterly Magazine.
Image courtesy of Shutterstock.