Personal Info Security is a Shared Responsibility

Over the past month you may have noticed a wildly unusual amount of companies sending you emails announcing they have updated their Privacy Policy. Suddenly everyone’s inbox became flooded with these emails and people started getting fed up. It got to a point of ridiculousness and even reached meme status:

What happened?

While the GDPR is a very important regulation, it has been written about ad nauseam. I’m just going to give you the quick two-liner. The EU’s new regulation about personal data protection online went in to effect on May 25^th. Businesses everywhere are scrambling to update their Privacy Policy because fines from the GDPR start at €20 million.

The Bigger Picture

While all businesses wanted to make sure that they are GDPR-compliant, what the rules are really about is the protection of data. What we want to cover in this blog is that for companies that use SaaS products to store their clients’ data have a share in the responsibility of securing that data.

Making sure that your SaaS providers are GDPR-compliant is important, you want a safe environment for that data. You also want there to be checks and balances for when data is breached, and people are held accountable. But what about your business, what is your responsibility? The GDPR wants all businesses to create plans on protecting data, being more transparent about what they use personal data for, and prepare for data-breach scenarios.

If you were using a SaaS platform to save your clients’ data and someone got a hold of someone’s log in information then the SaaS provider can do nothing to protect that data. Under the GDPR there has to be an announcement that there was a data breach within 72 hours. At this point it’s the Company, not the SaaS provider, that is responsible for that announcement.

Who is Responsible for What?

Depending on your situation the responsibility is shared differently

• Private - If your business chooses to store their client’s personal info on their own cloud servers then they are fully responsible for all of the security as they are the hosts. This includes the physical network, firewalls, infrastructure, virtual network, operating systems, service configuration, etc... The business is also responsible for the data within the server, and making sure no one without authorization can access it.
• Public - If your business chooses to use a Public Cloud system like Microsoft Azure then they are in charge of protecting the infrastructure, physical network and hypervisor of their platform. However the company is in charge of the Personal Data they collect from their clients, their platform, access restrictions and any applications.
• SaaS - If your business uses a SaaS vendor, like BlueCamroo, then the business is responsible for the Personal Data it collects from their clients, access to their workspace, and restricting access to Personal Information only to those authorized.  The SaaS company is primarily responsible for the security of their platform, including physical security, infrastructure and application security, such as session encryption between the software and an access terminal, and providing a granular permission-based algorithm.

So What Now?

You’ve prepared for the GDPR and made sure that your SaaS provider is GDPR compliant, now what you have to do is make sure that your company has the protocols in place to be GDPR compliant yourself.

• Who is your Data Officer?
• Review who has access to your client’s personal info
• Set standards for password protection
• What steps do you need to take in case of a data breach?
• Do you need to review your privacy policy?