After the GDPR deadline passed in May, we would hope that organizations made substantial progress towards achieving compliance. However, as organizations of all sizes and sectors continue to ramp up their use of cloud services, organizations must be aware of the threat that SaaS usage poses to continued GDPR compliance.
SaaS vs GDPR
It is fair to say that GDPR and SaaS are not a match made in heaven. Why, you ask? Well, the components of GDPR compliance are many and varied, but most of them rest on a simple foundation: an understanding of where in the enterprise personal data resides, who is accessing it, and how it is being processed.
To build their Record of Processing Activity (RoPA), mandated by Article 30 of the GDPR, organizations must discover and document all personal data repositories in use across the enterprise, regardless of platform.
This brings us to the cloud and SaaS. While most organizations have a reasonably good handle on where on-premises personal data repositories reside, the same can’t be said for SaaS-based personal data repositories.
There are a few reasons for this delta of knowledge and visibility. Firstly, the discovery tools and methodologies used in many organizations are focused on scans of on premise data centers, and are often unable to perform automated discovery of personal data repositories in the cloud. Secondly, many SaaS applications are purchased by business units with little or no IT involvement, creating a visibility gap and an incomplete picture of all personal data repositories within the business.
Without a holistic view of your data, the GDPR foundation of personal data visibility is unstable and the mission-critical RoPA is likely invalid. Importantly, a lack of understanding of SaaS-based personal data repositories makes GDPR compliance impossible and opens the door to audit findings and fines.
Keep calm and mitigate risk
So, how can GDPR teams ensure all personal data repositories are accounted for, regardless of delivery platform?
- Establish automated discovery across on-premises and cloud environments - Performing a data inventory is a critical component of GDPR compliance. Automated discovery solutions can help to build this inventory not only initially, but also ensure that it’s updated on an ongoing basis. Documents such as the RoPA need to be updated as new systems – both on-premises and cloud – are added or removed.
- Determine what data is shared with vendors and how they handle it - One of the many ways GDPR is complex is that an organization is responsible not only for ensuring adequate security measures in its own environment, but also in the environments of vendors with whom it shares the personal data of its customers. Since many controllers share personal data with processors via SaaS applications, knowing what SaaS data you have will allow you to also identify what vendors are processing personal data and you can work with these vendors to assess their data security practices.
- Categorize personal data by type and know where it resides - Many GDPR processes require organizations to know not only where personal data resides, but what type of personal data is stored. For example, to manage a “right to be forgotten” request, companies must be able to find the personal data for a specific subject and then identify what data needs to be deleted and what should be kept. This process must be done across all data repositories, both on premise and SaaS-based.
- Identify who has access to personal data - Most organizations do a reasonably good job of maintaining access controls for on-premises data repositories with automated discovery solutions. However, these controls break down when it comes to SaaS-based personal data repositories.
With SaaS, simplistic access control hierarchies offer a wide swath of user’s visibility to personal data. In addition, robust joiner, mover and leaver processes are often not applied to SaaS applications, leaving them exposed to employees who should not have access or have perhaps even left the organization. Establishing access visibility and control for all personal data repositories, particularly SaaS-based repositories, is a critical component of GDPR compliance.
Maintaining compliance
Essentially, you need to treat SaaS just like any other system. This will be crucial as SaaS continues to become the dominant deployment platform in many organizations. Over time this will become easier to account for and implement. However, maintaining SaaS controls in the meantime will require special attention and dedication.
There are a number of solutions that can accelerate and maintain compliance – ensuring that all personal data repositories are accounted for, regardless of delivery platform. This includes case management systems for handling data subject requests, and data discovery systems for finding applications, structured data, and unstructured data.
In addition, Identity and Access Management software can track role management and who has access to which data, and Software Asset Management (SAM) solutions can help to create the system, users, and device visibility required to ensure claims of compliance are based on a complete understanding of the enterprise.
Looking ahead
Cloud adoption - especially SaaS - is showing no signs of slowing, with nearly every organization utilizing some form cloud service. However, whilst organizations are stepping up their SaaS usage, they are also grappling with compliance complexities at the same time.
Complete visibility of business processes and applications which process personal data, and elimination of personal data blind spots across all platforms, will be absolutely essential to manage the demands of both compliance and increased SaaS usage – regardless of whether or not you made the deadline.