In order to fully prepare for the EU GDPR, existing internal processes need to be evaluated, and new ones introduced. But, because data processors and controllers are jointly responsible for the security of shared data, it’s important to partner strategically with organizations who are also prepared for the new laws.
Below are examples of questions you should be asking the cloud vendors you choose to work with:
- What processes do you have in place to achieve GDPR compliance in time for the deadline?
- Does your organization have a dedicated security team?
- What is your security strategy and how is it prioritized?
- What are your security policies?
- What are your data protection policies for customer data?
- For how long do you store customer data?
- What process do you have in place to notify customers or prospects when the intended use of their data changes?
- How do you obtain and document expressed permission to store people’s personal data?
- Do you have an appointed Data Protection Officer?
- Do your systems undergo regular penetration testing?
- What are your access control policies for both customer and internal data?
- Where is your data physically stored?
- Who has access to your data facilities?
- What are the terms of ownership over your data?
- What is your formal procedure for reporting out on data leaks?
- What internal processes do you have for taking action in the event of a security violation?
- Is your security team able to discover and identify personal data, even when not stored together with other identifiers?
- How does your organization handle instances when customers or prospects request their data be removed from your system(s)?
- What third party organizations do you work with that may also have access to the data we share with you?
- How often do you implement vulnerability scans?
- Can you share the results from your most recent vulnerability scan?
These preliminary questions are a great start to understanding the controls your cloud service providers are adapting for EU GDPR compliance. You can also refer to this more extensive list of 20+ Questions to Ask Before You Onboard a SaaS Vendor.
How Will the EU GDPR Impact Cloud Cybersecurity?
In this recorded webinar, learn more about the ins and outs of the new regulation. Plus, find out how a CASB can help with the implementation of customer controls, incident management, and ongoing audits.