Using Cloud Services like Google Drive and Box and How you Should be Thinking about GDPR

With the General Data Protection Regulation (GDPR) coming into effect on May 25th, many of our customers have been asking us what they should be doing with data stored in cloud services that can store any kind of data, like Google Drive and Box. It’s hard to know whether employees are unknowingly creating files with sensitive personal data and whether that data is being managed properly.

Ohalo has done a lot of work with financial institutions, but we recently have received incoming interest from companies as far afield as media, fashion, and SaaS providers. The IT manager of a fashion label came to us with an interesting problem. While he can assume that his customer relationship management (CRM) services or his email services probably have personal data as a default, in his GSuite organization, he is managing over 800 different Google Drive accounts. He has no idea what data is where and how different teams store data in these cloud services.

At the very least, these are unchecked data security risks à la Cambridge Analytica.

However, with GDPR coming into effect at the end of the month, failing to comply with its principles could turn into a regulatory fine (up to 4% of revenue), private action (individual lawsuits), or possibly class action. Understanding how you are complying is even harder in an unstructured cloud service like Google Drive or Box because literally any kind of data can be stored there.

In order to plan actions, companies need to be thinking about how they manage these cloud services.

1. What data do I have stored? Is it personal data?

2. Where is data stored?

3. How and when did you obtain this data?

4. Why do you have this data?

5. Who has access to this data?

6. What (and when) did you get consent for this data (if personal data)?

7. Is the data stored securely?

8. Do you need to keep track of the data as it travels between systems (data lineage)?

9. Does the data get transferred across international borders?

Ohalo’s Data X-Ray Cloud version is an unstructured data discovery and unstructured data classification engine for your cloud services. It locates personal data even if it is unstructured data and hiding in a spreadsheet somewhere. You can gain a bird’s eye view of focal points of personal data. You can then know what next steps to take in order to lock that data down (i.e. data redaction).

In addition to providing a first barrier against risks that lead to possible regulatory investigation or civil litigation, you can save thousands of person-hours required to look through and classify data not only in preparation for GDPR compliance but on an ongoing weekly basis.