Today on May 25, 2018 is the day that the EU-General Data Protection Regulation (GDPR) has officially been put into effect. For the past two years companies have been working to make sure that their companies are GDPR compliant in order to avoid penalties. If businesses fail to comply, fines of up to 20 million euros or 4% of the world‘s annual turnover might be the consequence. But now that it’s finally here, what does it mean?
Well, according to The Verge’s Sarah Jeong, “no one is ready — not the companies and not even the regulators.” And at the time of writing this blog, the GDPR informational website is down; perhaps a sign that it has been completely overwhelmed by last minute scramblers?
“In a survey of over 1,000 companies conducted by the Ponemon Institute in April, half of the companies said they won’t be compliant by the deadline. When broken down by industry, 60 percent of tech companies said they weren’t ready.”
– Sarah Jeong, The Verge
But What is the GDPR?
As stated, the GDPR site is currently down, so I will refer to Slate’s simplified description of the mandate:
EDIT 19.06.2018: https://www.eugdpr.org/ is back online.
“There are a host of new requirements rolled into the GDPR. Companies will now have to report data breaches within 72 hours and allow people to access the private data that has been gathered on them and find out how it’s being used. Users also have the “right to be forgotten,” allowing them to demand that companies remove certain personal information from the internet, and the right to opt out of sensitive data collection. The GDPR further broadens the definition of “personal data” to include locations, browsing history, IP addresses, and other information.”
– Aaron Mak, Slate
Ok, so it’s understandable that many companies are working to be compliant, but the regulators aren’t even ready?
According to Reuters,
“Seventeen of 24 authorities who responded to a Reuters survey said they did not yet have the necessary funding, or would initially lack the powers, to fulfill their GDPR duties… Many watchdogs lack powers because their governments have yet to update their laws to include the Europe-wide rules, a process that could take several months after GDPR takes effect…”
– Douglas Busvine, Julia Fioretti, Mathieu Rosemain
What a Mess!
It’s a good thing that you are an ownCloud user and, therefore, do not have to worry about any of this.
ownCloud offers you a secure file-sharing alternative to conventional public cloud offerings. Through on-premises installation and a variety of administration and security features, you not only gain full control of your data, but a truly private cloud for your business that is fully compliant with the GDPR.
When somebody is running ownCloud for you, make sure that they are in the EU jurisdiction or monitor regulatory changes to things like privacy shield very closely! Keep in mind that with the recent Cloud Act your data can be monitored – without your knowledge by US agencies at any time.
The barrier for issues of National Security just got lowered this week dramatically – asked for by the President the US Ministry of Trade is inquiring if normal car imports are affecting National Security.
Here is an overview of how ownCloud meets the GDPR requirements:
- Integrity & resilience of the systems: File changes must be detected and verified. ownCloud offers several features that meet this requirement including:
- Multi-factor authentication
- Permissions management
- File firewall
- Audit log
- File integrity check
- Authentication
- Document classifications and policies
- Professionally developed and tested enterprise software
- Availability and access: Users must always be able to have availability and access to their data. ownCloud offers users ransomware protection and versioning with granular recovery incase an attack proves successful.
- Transparency and procedure: Companies must have transparent and comprehensible processing of data and procedures for evaluating the effectiveness of protective measures. ownCloud offers users auditing/logging module and transparent authorization management.
- Encryption of personal data: The GDPR reduces procedures and notification needs if personal data is encrypted. ownCloud provides you with master key server-side encryption, even with HSM support to keep your data safely at rest. For critical data as covered under Article 9 of the GDPR we optionally offer client-side end-to-end encryption with optional key server and smartcard support for the best possible security!
For more information, be sure to visit our GDPR page, download our whitepaper and check out our recorded webinar How you can beat GDPR, CLOUD Act and other regulatory challenges with ownCloud.