Thursday 20 September 2018

GDPR: Can we trust the cloud once the new data rules are introduced?

Tough new data rules will address some of the concerns around our data in the cloud, but they are not a panacea, argue Theo Lynn and Grace Kenny

Data Protection Commissioner Helen Dixon addresses last year’s Dublin Data Sec. Photo: Gerry Mooney
Data Protection Commissioner Helen Dixon addresses last year’s Dublin Data Sec. Photo: Gerry Mooney

Theo Lynn and Grace Kenny

The digital economy is driven by data, built on the cloud, and accelerated by the ever-increasing adoption and ubiquity of mobile technologies, social media, and the Internet of Things. The convergence of these technology mega-trends is transforming how business and society operate and interact, and is creating data in volumes at several orders of magnitude than the past. For some, this is an opportunity to exploit, for others a risk to mitigate.

In our headlong rush to consume the next big digital thing, consumer surveillance has become habitualised. Unfortunately, our regulatory infrastructure has not been able to keep pace with our migration to a digital future. For example, the existing Irish data protection regime predates the iPhone, Facebook and the Google Cloud. This May, the General Data Protection Regulation (GDPR) will come into effect across Europe impacting citizens and the businesses they interact with and promising to improve trust in the digital economy.

Dear Cloud, we have trust issues

Cloud computing is a key enabling technology in the digital economy. Its benefits are widely reported. It helps businesses realise cost efficiencies and agility through access to on-demand IT infrastructure and capabilities, scalability, elasticity, with a pay-as-you-go model that replaces upfront capital expenditure with operating expenditure.

It enables the hyperscale services that provides consumers with their daily digital dose - their email, YouTube, Netflix, Facebook or any of the myriad of apps and internet services that we have come to rely on. The cloud is our backup, our redundancy plan for lost laptops and smashed smartphones. Despite all of this, consumers retain a fear of the unknown and a loss of control in relation to the cloud and more specifically their data in the cloud. The cloud literally has trust issues.

Trust is a widely referenced but frequently misunderstood concept. When we say we trust somebody, we accept vulnerability based on the positive expectations regarding their intentions or behaviour towards us. We make judgements on their ability (competence) and integrity. We believe they will act in our best interests and that their behaviour on our behalf will be predictable.

The cloud however remains unknown to many, less of a cloud and more a fog. Although many understand that our email, family photos and other data is in the cloud, we don't know what that means. Where is our data? Who controls it? Who else can access it? What are they doing with it? Why am I getting these great services for free?

Our trust issues with the cloud are inherent in the very nature and business models of the cloud. We pay for "free" services with our data.

While most of us know this to be true, the lack of transparency in what this "payment" might mean in reality remains uncomfortable for many. There is a tendency to simplify the cloud as one provider and focus on that organisation. The reality is that your data is controlled by one organisation but potentially processed and sub-processed by a much larger number of companies whose hardware, software and networks make up the underlying infrastructure of any given cloud service.

As such, your data may cross borders and legal jurisdictions, be augmented, replicated, restored and reprocessed; most likely without your knowledge but often with your permission. In itself, this is the status quo. No harm, no foul. It's all fun and games until someone gets hurt.

Things start going wrong when there is data loss, data misuse, data leakage or a data breach. Intent is key here. Data loss occurs and may not be intentional, exploitative or malicious.

However, it may impact trust because it undermines confidence in ability. Data misuse differs significantly as it is often intentional. This is essentially excessive secondary use of data, or the use of data for purposes beyond what it was originally collected for.

There are numerous examples on the Data Protection Commissioner's website of alleged and actual data misuse. A commonly cited example is unsolicited marketing. Again, many of us sign up to services and agree to the use conditions without really exploring what this means for our data. As unpalatable as some of the uses might be, often we have agreed to these uses.

Data leakage and data breaches are more concerning as both scenarios involve the communication of confidential data to parties external to the organisation. Sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorised to do so. Both may involve a malicious insider, however data breaches are often the result of co-ordinated security attacks on systems from external users. Data misuse, data leakage and data breaches go to the core of trust.

They, to varying degrees, can undermine consumer confidence in whether organisations are acting in our best interest, whether they have integrity and finally whether they have competence in protecting your data from unauthorised disclosure.

Let us introduce GDPR

The GDPR seeks to provide individuals with greater control over their privacy by strengthening their ability to obtain copies of their personal data from organisations, and have data corrected, deleted or transferred.

Furthermore, individuals can object to their data being processed in certain circumstances and not be subject to automated decision-making (including profiling). GDPR also requires organisations to be transparent about how they collect, use and protect personal data, including communicating how individuals can exercise their rights. They also need to be able to demonstrate accountability for their data processing activities including the identification, reporting and response to data breaches.

It introduces significant penalties with fines up to 4pc of total annual worldwide turnover for failure to comply with requirements. The severity of the punishment is designed to act as a deterrent to non-compliance, an accountability action in the event of failure.

Will GDPR solve the cloud's trust problems?

GDPR is not the full solution to trust in the cloud but possibly part of it. GDPR strengthens individuals' rights. For a certain class of cloud services, it will provide greater transparency but the cloud is a complex and ephemeral thing. For example, it is not fully clear to what extent suppliers to cloud infrastructure providers are to be treated as processors and to what degree transparency over their use of personal data is required. Any vulnerabilities in these systems could result in non-compliance with GDPR and data breaches.

GDPR requires greater focus on the development of more robust data protection processes and systems. However, this assumes that existing clouds did not have these systems in place previously. They have. Indeed many are audited and certified to international standards and still suffer from cyberattacks and data breaches.

Fully addressing trust in the cloud requires not only accountability but assurance. Not merely design for failure but design for dependability. Punishments, even severe ones, may not, and often do not, deter crimes. Why do we expect the same here?

Cloud service providers, indeed all organisations controlling or processing data, should expect to be audited regularly for compliance with GDPR.

There needs to be a belief by organisations, that non-compliance will be detected and punished. This assurance combined with the accountability will result in greater long term trust in the system over time. But at what cost? Implementing GDPR is already costly. Implementing an integrated system of assurance and accountability would cost an order of magnitude more. Who will bear the cost? The cloud service provider? The consumer?

The reality is that GDPR does strengthen the rights of individual citizens. It will, most likely, improve data protection in the cloud and increase transparency for many but not all cloud service providers and related companies.

It may deter data misuse but it won't prevent data loss and data breach particularly where there are motivated malicious insiders.

GDPR probably goes some way to addressing trust in the cloud but probably not far enough.

Professor Theo Lynn is Professor of Digital Business at DCU Business School and is the Principal Investigator of the Irish Centre for Cloud Computing and Commerce (ic4.ie). Dr Grace Kenny is a post-doctoral reserarch at ic4.ie

Dublin Data Sec 2018 is Ireland's GDPR event, please visit www.independent.ie/datasec2018 for further information and tickets

Sunday Indo Business

Business Newsletter

Read the leading stories from the world of Business.

Also in Business