Over the past 18 months, compliance with data protection laws may not have been top of mind for many organisations.
Firms had to move quickly to switch to remote operations and home working, and an expanded use of the cloud gave some protection.
But this will not give indefinite cover for compliance and regulatory shortcomings.
Experts expect the Information Commissioner’s Office and other regulators to pick up the pace of enforcement in the coming year.
Organisations also need to deal with new and revised regulations, such as the upcoming PCI-DSS 4.0, due for release in 2022.
With cloud use predicted to keep growing – IDC predicts the cloud computing industry will be worth US$1.35tn by 2025 – firms need to ensure they have the right data security and privacy safeguards in place.
The next few months are an ideal opportunity for chief information officers to review their cloud compliance models. Here are some key areas to focus on.
GDPR and the Data Protection Act
Although the UK has now left the EU, the GDPR (the EU’s General Data Protection Regulation) is incorporated into UK law under the Data Protection Act 2018. There is no intention for the UK to diverge from the GDPR, and the EU’s regulations have since become, if not a de facto standard, a model for other countries’ data protection laws.
The GDPR sets out the rules for processing data, including when it is handled by third parties. As Mathieu Gorge, CEO at privacy consultants Vigitrust, points out, using the cloud automatically means trusting data to a third party.
“The cloud provider becomes a processor of the data, and you are the data controller,” he says. “You need to make sure the data processor brings the right level of security, at least as good as your own. You need to make sure your data flows are mapped, and you have done a privacy impact assessment.”
Where the UK could still diverge from the EU is in enforcement. Some of the largest data protection fines, prior to Brexit, were levied by the UK. Since then, these have been overtaken by penalties from the Irish and Belgian regulators. According to Vigitrust’s Gorge, the ICO might want to show it still has the power to levy hefty penalties, post-Brexit.
PCI-DSS and PCI DSS 4.0
PCI DSS is not a legal requirement, although data privacy experts recommend it is treated as one. The PCI Security Standards Council plans to publish a draft of PCI DSS v4.0 in January 2022, for reviewing organisations. A final version of the standard is set for March 2022.
However, under transition arrangements, the current version of PCI DSS (v3.2.1) will stay active for 18 months from the release of all the PCI DSS v4 documentation. And, according to the PCI Security Standards Council, there might be requirements that are future-dated. The transition period for these future-dated requirements is not yet known, but it is expected to be two-and-a-half to three years after the publication of v4.0.
This potentially pushes the implementation period of PCI DSS out as far as 2025. However, given the impact the standard can have on organisations, CIOs, CISOs and data controllers should be reviewing compliance with the existing standard now.
“Payment card details including card numbers are often accompanied by personal data like the cardholders’ home address and full name. That means a breach of such data not only contravenes PCI DSS compliance but also GDPR, both of which can cause hefty financial penalties,” cautions Craig Tunstall, a senior cloud consultant at HeleCloud.
Network and Information Systems Directive
Like the GDPR, the Network and Information Systems Directive is an EU regulation, incorporated into UK law. Although the Directive is less well known than GDPR, its requirements are rigorous. Digital service providers, including cloud service providers, need to put in place security measures to prevent data compromises and breaches. If they are the subject of an attack, they need to inform the Information Commissioner within 72 hours.
The NIS has, however, been revised since the UK left the EU. The legislation covers two groups of organisations: Operators of Essential Services (OES) and Relevant Digital Service Providers (RSDP); this is determined by the criticality of their service to national infrastructure.
According to Phil Robinson, principal consultant and founder of Prism Infosec, a cyber security consultancy, where data is processed in the cloud, organisations that qualify as an OES or RSDP are required to report any security incidents to the ICO.
Shared responsibilities
Organisations that use the cloud need to understand they share responsibility for data protection, privacy and security with their suppliers.
This is not set out in a single piece of legislation; rather it is a fundamental tenet of GDPR, NIS and other data protection rules.
At its simplest, it means organisations are always responsible for their data, even when it is being stored or processed by a third party. These include cloud services such as AWS, productivity suites such as Office365, and even consumer-oriented file sharing services such as Dropbox.
Given the diversity of cloud services in use today, organisations need to ensure the infrastructure they are using matches the sensitivity and regulatory requirements of the workload or business process.
As HeleCloud’s Tunstall points out, CISOs cannot assume, for example, that a PCI DSS workflow is compliant, simply because it runs on top of (PCI DSS compliant) cloud infrastructure from AWS.
“When storing data in the cloud, a key area of regulatory compliance is understanding the shared responsibility model of your cloud service provider and the specific service you are using,” he warns.
Data residency, Brexit, and adequacy
Organisations also need to know where data will be at all time. In the days of on-premises storage hardware, this was simple: Data resided in the data room, datacentre, or co-lo service. Data moved only rarely, such as in a disaster recovery scenario.
The global nature of the cloud means that data can now be anywhere in the world and technologies such as object storage can even split a single file across multiple locations. The “hyper-scale” cloud providers all offer region-specific storage, and the ability to lock data to a geography.
That, though, is not guaranteed for smaller cloud services or third-party services that run on others’ public cloud infrastructure. Post-Brexit, the UK has an adequacy agreement which allows data to be stored in the EU, but GDPR restrictions apply to data coming from the European Economic Area to the UK.
Organisations moving data outside the EEA, the US and Australia need to demonstrate that data protection laws are sufficient to comply with the DPA, that they have the data subject’s consent, and that they are complying with local laws, such as China’s PIPL.
Where data resides is a complex area, and organisations should take professional advice at an early stage in any cloud project.