In the wake of changes to data liability regulations as part of the GDPR, companies face the challenge of unravelling their cloud supply chains in order to get the information they require to ensure compliance. A failure to audit suppliers regularly and probe the supply chain will have severe consequences. Transparency is therefore a key factor in ensuring that all parties involved have the required security mechanisms in place, says The Bunker.
One of the most impactful changes included in the GDPR is the expansion of the breadth of customer data that an organisation is liable for. Unlike the previous legislative framework, both data controllers and data processors have potential liabilities towards any customer data. This means that any organisation that passes data over to a service provider for any kind of processing therefore still bears the brunt of exposure in the case of a data breach – including organisations that use cloud service providers (CSPs).
Phil Bindley, CTO at The Bunker, comments on the implications for organisations: “When the GDPR comes into effect in May 2018, it will be incumbent on any organisation who uses a CSP to ensure that everything the provider does is technically, organisationally, and culturally in-line with the new regulations. It’s no longer enough to rely solely on a supplier’s word – one of the biggest shifts in the GDPR is that organisations have to demonstrate that suppliers have proved their compliance. In all likelihood, an organisation is not just dealing with one supplier; CSPs often have complex supply chains involving several providers who are all part of the process of providing cloud services. There’s only one way to guarantee compliance across this chain: ensuring that the relationship with the cloud supplier is grounded in complete transparency.
“Organisations will have to audit and test their CSPs in order to ensure that they’re compliant, and this will rely on suppliers being open about what’s happening to the data. For many organisations, this will involve developing a more meticulous approach to their suppliers than they are otherwise accustomed to. Rigorously auditing, testing, and establishing suppliers’ compliance with security regulations is part of The Bunker’s DNA, but for many this level of precision will be unfamiliar. Moreover, it’s not good enough to do this only at the contract stage – to secure continued GDPR compliance, this level of testing will have to become part of the lifecycle of the supplier relationship.”
According to Bindley, this has implications for how organisations choose CSPs: “The path to GDPR compliance in the cloud is a two-way street. Suppliers have to be open to testing and cooperating with audits; establishing the level of transparency required for compliance is a joint mission. When choosing a CSP or working with existing suppliers, IT professionals should take this into account – and any obstructionism or opaque practices from suppliers should be taken as red flags.”