Using Cloud Services like Google Drive and Box and How you Should be Thinking about GDPR

With the General Data Protection Regulation (GDPR) coming into effect on May 25th, many of our customers have been asking us what they should be doing with data stored in cloud services that can store any kind of data, like Google Drive and Box. It’s hard to know whether employees are unknowingly creating files with sensitive personal data and whether that data is being managed properly.

Ohalo has done a lot of work with financial institutions, but we recently have received incoming interest from companies as far afield as media, fashion, and SaaS providers. The IT manager of a fashion label came to us with an interesting problem. While he can assume that his customer relationship management (CRM) services or his email services probably have personal data as a default, in his GSuite organization, he is managing over 800 different Google Drive accounts. He has no idea what data is where and how different teams store data in these cloud services.

At the very least, these are unchecked data security risks à la Cambridge Analytica. However, with GDPR coming into effect at the end of the month, failing to comply with its principles could turn into a regulatory fine (up to 4% of revenue), private action (individual lawsuits), or possibly class action. Understanding how you are complying is even harder in an unstructured cloud service like Google Drive or Box because literally any kind of data can be stored there.

In order to plan actions, companies need to be thinking about how they manage these cloud services.

  1. What data do I have stored? Is it personal data?

  2. Where is data stored?

  3. How and when did you obtain this data?

  4. Why do you have this data?

  5. Who has access to this data?

  6. What (and when) did you get consent for this data (if personal data)?

  7. Is the data stored securely?

  8. Do you need to keep track of the data as it travels between systems (data lineage)?

  9. Does the data get transferred across international borders?

Ohalo’s Data X-Ray Cloud version is a data discovery and classifying engine for your cloud services. It locates personal data even if it is unstructured data and hiding in a spreadsheet somewhere. You can gain a bird’s eye view of focal points of personal data. You can then know what next steps to take in order to lock that data down.

In addition to providing a first barrier against risks that lead to possible regulatory investigation or civil litigation, you can save thousands of person-hours required to look through and classify data not only in preparation for GDPR but on an ongoing weekly basis.

If you use Google Drive or Box and would like to see it in action, sign up here. It’s free to start and integrates in seconds. If you would like to hear more, please do get in touch with us by either contacting us or scheduling a demo.

About Ohalo

Ohalo builds tools to automate data governance. The Data X-Ray scans for sensitive data on a regular basis so that you are always up to date with where your sensitive data is. Simply sign up here. Once you have established a baseline of where your most sensitive data is, you can track where that data is going with the Data Protection Router in order to assist your clients in Data Subject requests like access, rectification, erasure, and breach notification.