GDPR: Are cloud applications ready for 2018?

The amount of data collected by companies in Europe is skyrocketing. In an effort to harmonize data protection regulations between EU member states, the European Commission has adopted the GDPR (General Data Protection Regulation), a new regulatory framework which comes into force in 2018. A recent study revealed that the vast majority of cloud applications used by companies don’t currently comply with the future legislative framework.

The safeguarding of personal data is protected under the EU’s Charter of Fundamental Rights. But in recent years, there have been reports that this right hasn’t always been honored by businesses that collect data on a daily basis. The legislation therefore seeks to strengthen the protection of citizens’ data. In light of this, the Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data was published in the Official Journal of the EU on 4 May 2016. Businesses now have two years to comply with the new European requirements.

 Three-quarters of applications breach EU rules

The 2016 study on cloud services carried out by Netskope revealed that the majority of applications used by businesses do not meet the latest EU requirements. The apps were assessed on eight factors: geographical requirements, data retention, data privacy, data ownership, data protection, audit capabilities, certifications and the existence of a valid data processing agreement. Only 24.6% of applications show a high level of compliance readiness with the GDPR, according to the study.

More than half of applications fail to mention in their terms and conditions of use that their customers retain ownership of the data, pursuant to the EU regulation. And more than 46% of apps store the data for more than a week after their customer has left them, which also conflicts with the new legislation.

The GDPR stipulates that service providers need to make sure their customers have access to all the functions they require. Businesses, on the other hand, will be responsible for putting protections in place and monitoring the usage of the applications. By opting for secure, highly-certified applications, companies can reduce their infringement of European rules, and it also serves as a mark of confidence for their customers.

Businesses need to retain control over the data they gather and process, so choosing tools that comply with future EU requirements is essential. Companies can greatly benefit from solutions designed by professionals instead of mainstream solutions, which do respond to certain needs internally but don’t guarantee compliance with European legislation. When data is shared or stored using untrusted applications, businesses often have no direct control over it. And solutions designed for companies are typically subject to updates and patches.

 Ensuring compliance: the new challenge faced by app publishers

Harmonizing regulations at EU level is going to be a real challenge for many application publishers. But certain obligations under the GDPR already exist in French or German law. What’s more, a number of cloud solution providers now provide a level of security that meets the European Commission’s new requirements.

One step ahead

At Oodrive, data security has always been one of our cornerstones. As a Software as a Service (SaaS) provider, our ambition is to deliver the most secure solutions possible. Oodrive benefits from the Cloud Confidence certification which provides a transparent framework on personal and critical business data protection and commercial confidentiality for cloud providers and users. Based on the European legal framework, the certification guarantees the transparency of cloud services and reassures users of data location, non-transfer to third parties without consent and sub-contracting policy.

Oodrive is also ISO 27001:2013 certified. This standard certifies its ability to guarantee confidentiality, availability, integrity and traceability to its customers. In principle, it is prohibited to transfer personal data outside of the EU unless the destination country can ensure a sufficient level of protection. But it is difficult to guarantee data protection once it has left the EU. With sovereignty and security at stake, Oodrive stores its customers’ data exclusively in Europe, with total security guaranteed.