The GDPR’s been in force for almost a year now. It was originally introduced some years ago, aiming to provide at least a semblance of a framework for data protection in the fast-paced world dominated by technology. We’ve so far seen 91 fines imposed by EU’s data protection authorities under the GDPR, and there are thousands of complaints lodged, currently under review.
The case of Google’s 50m EUR fine was arguably one of the biggest ones. So, needless to say, the GDPR is pushing data protection forward. The USA isn’t too far behind – understandably so, given all the leaks that took place there over the last few years.
Despite the European regulation’s intent, however, there are still misunderstandings amongst the EU Member States and their implementations of the regulation into national laws are quite distinct. This fragmentation of the digital single market, perhaps somewhat unexpectedly for some players, has led to a significant increase in data protection services.
By that, we mean those of law firms, risk management, and cybersecurity companies. And since the post-GDPR legislative landscape is the opposite of constant, it’s no surprise that these firms have been quite busy this year. Once the backlog of complaints is cleared, we can certainly expect even more hefty fines in 2019, and therefore, more money to be spent on these services.
However, there aren’t that many firms equipped with both legal experts, IT experts and compliance managers. For that reason, data controllers have had no choice but to go to different places for different services. The demand breeds supply, though, and so the GDPR compliance requirements, together with the growing concerns regarding data leaks, are what’s driving more and more companies to offer data-protection-as-a-service or DPaaS.
What is DPaaS?
DPaaS is a description of cloud-based solutions for protecting data assets. With the increasing popularity of companies migrating their data to on-premises clouds, they can use DPaaS to build and deploy enhanced security tools for the data. The digital assets of companies, especially B2C and B2B2C ones, are some of the most valuable ones in this day and age, so their concerns and the interest in DPaaS are very valid.
Clouds, especially proprietary on-premises ones, facilitate a company’s operations to a large extent and are a safe way to store data, but they aren’t 100% foolproof. Which is where DPaaS providers come in.
For instance, Hitachi’s recent unveiling of their new DPaaS is designed specifically for companies who understand the cloud’s practical benefits. The simplest example being is when an Office 365 app crashes and data is lost. DPaaS can ensure that it’s backed up and every member of the on-premises cloud can access it at any time.
Other companies aren’t far behind. In fact, DPaaS has branched out into other services like Storage as a Service (STaaS), Disaster Recovery as a Service (DRaaS), and Backup as a Service (BaaS).
Recently, a pioneering Data residency as a Service start-up InCountry received $7m in funding to launch their product called Profile. The purpose of the product is to provide personal data compliance solutions and to ensure their actual implementation within companies.
GDPR is only one example of the confusing regulations and their national implementations. For instance, Russian and US data protection laws are fluctuating minefields of their own, and interpretation of their laws can be quite subjective and uneven, especially in the former jurisdiction.
For that reason, global companies would most likely appreciate a solution that would allow them to stay up-to-date with the laws all over the world, as well as to be compliant. And the market reports can confirm that – the disaster recovery industry is expected to grow by almost 40% in the next five years.
So, it seems clear that data, and especially, personal data, protection are a market that’s here to stay. But are all these solutions as effective as they claim to be?
Practical applications – how does DPaaS really work?
Essentially, the technology of DPaaS is VPN-based technology. We’ve previously elaborated on what VPN is and how you should be using it all the time, but to refresh your memory – connecting to a VPN (virtual private network) connects you to a remote server, and all your traffic is routed through a tunnel invisible to your ISP.
Corporate VPNs usually help the employees access data on protected servers. DPaaS technology uses these “tunnels” to support the security of your data remotely. In other words, the operator’s activities aren’t visible to your ISP or whoever is trying to break into your ISP.
It sounds like a decent layer of additional security. And on the one hand, it is. On the other hand, however, DPaaS, like any other SaaS, IaS and other digital services, isn’t immune to human error. True, a lot of DPaaS operators offer a back-up solution for your data in the event of theft.
Commercial VPNs have a “kill switch” option for these situations, and a DPaaS provider should be equipped with a similar option – a fail-safe so to speak. Usually, recovery is possible, especially if the files are backed-up, but it takes time and may bring additional expenses, thus slowing down your business operations.
For that reason, you should consider combining your DPaaS with DRaaS and even BaaS for extra security. Disaster recovery as a service allows for protection of your programs and data on the basis of a cloud from a natural or human disaster. It can add an additional layer of security and mitigate any delays that would’ve resulted from a data breach. Whilst DPaaS operators recover your stolen data, you would still be able to work if you have DRaaS in place. The latter can restore the entire systems, which is hard to achieve with only DPaaS.
It’s also very important to remember that, if you operate in the European Union, your company is the data controller under the GDPR. A DPaaS provider is just a data processor.
So, in the event of non-compliance with the GDPR by the provider and a resulting breach of your data, you as the data controller would be liable before the personal data subjects whose data has been lost or illegally processed. Therefore, you and your company should take extra care when choosing a DPaaS provider, especially if you have European Union operations or are trusting the provider with the personal data of EU citizens.
So, should companies opt for DPaaS?
Short answer – yes.
However, companies must be very cautious and maintain some market awareness to allocate their costs efficiently. DPaaS and DRaaS is not yet a buyer’s market since the awareness of cyber security and data protection still remain lower than it should be in this day and age. So, before committing to a DRaaS or DRaaS contract, companies should:
- Decide what would be the best approach for them – DPaaS alone or DPaaS together with DRaaS and STaaS. The answer to that would depend on the type and amount of data handled, the company’s financial resources, the locations where they operate, and other industry-specific factors;
- Do the general due diligence – although the market is fairly new, we’ve stipulated earlier that a lot of GDPR fines have already been imposed. It goes without saying that you should audit your chosen operator as to whether they’ve been a subject of such fine;
- Check the payment options – is it pay-as-you-go? If so, the service would only be “performed” in the event of a breach;
- Carefully check the operator’s personal data policies and clauses relating to warranties and representations on the subject of the client’s personal data;
- Get proper cybersecurity insurance;
- Try to get some information on whether or not the operator is planning to subcontract any services;
- Request a demo to see how the services would work in practice.
Depending on your industry, your company might want to perform more checks.
If a large bulk of your data is personal data, consider Data residency as a service. InCountry might currently be piloting that market, but other players are expected to emerge quite soon. Even if you’re an SME, GDPR doesn’t allow for any relevant exemptions. But do be careful and don’t dive in headfirst, without having a clear idea of what your operator would be doing for you.