The widespread adoption of public cloud services has made it easier than ever to move data between different geographic regions. Yet at the same time, the regulatory landscape surrounding that data movement has grown increasingly thorny.
In the past, many U.S. companies found it easy to meet compliance rules associated with one important framework: the GDPR via the Privacy Shield program. But the European Union’s invalidation of the program in 2020 means companies must now work harder than ever to ensure that they understand where their cloud data flows, then identify the situations where sensitive data moves across international borders in ways that could trigger compliance violations.
In a nutshell, Privacy Shield was an agreement between the United Statrs and the European Union that allowed U.S. companies with data architectures that extended overseas to self-certify that their data management practices aligned with GDPR rules. About 5,000 organizations in the U.S. used the program to certify themselves as being GDPR-compliant with regard to cross-border data transfers.
However, an EU court ruling invalidated Privacy Shield last summer, determining that the program was not adequate for ensuring that U.S. companies complied with GDPR regulations. The change means that companies can no longer use Privacy Shield as an easy way to satisfy certain GDPR compliance rules and avoid being impacted by the growing number of GDPR enforcement actions.
Security and cloud teams must now take additional steps to understand their data and demonstrate that they manage it in a GDPR-compliant manner. Here are proactive steps security teams can take to ensure privacy:
Understand data movement in the cloud.
For organizations that use the public cloud -- roughly more than 90 percent – GDPR compliance in a post-Privacy Shield world hinges on understanding where their data gets stored within complex cloud environments, and how it can flow or move between different services and different clouds.
By default, the public cloud operates as a borderless entity. Data can flow seamlessly between cloud data centers, and public cloud providers offer few tools for restricting the way data may move across different geographic regions. Nor do cloud providers automatically discover and classify sensitive data so that customers know which data may be subject to regulatory requirements regarding cross-border movement. They leave that exercise up to their customers.
For U.S. companies that use the cloud, keeping pace with GDPR compliance rules without being able to self-certify compliance via Privacy Shield requires the ability to track the complex movement of sensitive data within the cloud on a continuous basis. They must know which types of cloud services (like object storage or database) data resides in by default, as well as which users, applications, APIs or other resources can access or move that data. Similarly, they must know which lifecycle policies govern the movement of data from, for example, a hot cloud storage tier to an archival tier.
Leverage automatic data classification and monitoring.
Keeping track of data in the cloud requires automation. Teams must deploy data discovery tools that can automatically and continuously identify the data stored in their clouds, then classify it to determine whether it is sensitive and subject to compliance protections.
These tools can also automatically assess the ways in which sensitive data could potentially move within your cloud, so that you'll know if it might move across borders in a way that leaves you at risk of compliance violations.
Once the team classified its sensitive data and determines how it can flow, the company can take several additional steps to meet compliance requirements. For example, build visualizations using live maps that let organizations track data movement in real-time across different cloud data centers and services. It's a straighforward means of identifying where sensitive data lives and whether it's subject to cross-border flows.
Policy-based data governance.
At the same time, companies can create data policies that define how sensitive data moves, then automatically monitor for violations of those policies. By receiving real-time alerts about data movements that may trigger compliance violations, the team can react immediately and proactively to resolve exposures.
Whether the organization needs to meet rules associated with the GDPR or any other compliance framework, classifying and monitoring company data helps to prevent exposures and demonstrates compliance.
Conrad Smith, chief information security officer, Open Raven