Privacy

GDPR will change how companies work with cloud providers

We keep seeing errors in the ways companies are safeguarding personally identifiable data in the cloud. Those errors will have massive consequences under Europe's new General Data Protection Regulation.

By Greg Otto

March 1, 2018

Some enterprise companies have invested in startups to help with cloud security, rather than more traditional vendors. (Getty)

One of the bigger stipulations in GDPR is that third-party service providers, including companies who run the ever-ubiquitous cloud, will also be responsible for following the correct protocols when it comes to protecting EU citizen data.

Yet just as companies keep throwing everything into the cloud, we are seeing errors in the way they safeguard personally identifiable data.

If you have been following the work of Chris Vickery, you know how easily these errors can be found. Vickery, ‎director of cyber risk research for California-based Upguard, has been finding misconfigured cloud instances all over the internet. Just in the past year, Vickery identified these openly discoverable instances associated with a Florida credit monitoring firm, media behemoth Viacom, and even at the Department of Defense.

Each finding had enough PII to keep privacy officers sleepless for weeks. While they were all based in America, Vickery recently came across a similar breach at French marketing firm Octoly, which caters to European social media influencers.

In a few weeks, Octoly’s response to such a finding will possibly be under much more scrutiny. I talked to Vickery and Upguard CEO Mike Baukes about how they see these security incidents playing out under GDPR, and whether cloud providers will lead the way when it comes to breach response.

Previously on the “Decoding GDPR” podcast: Why GDPR is flipping the thought process around data ownership