Cloud Data Security and EU Data Privacy

Cloud Data Security and EU Data Privacy Rules Compliance with Encryption and Tokenization

Cloud Security, Compliance

Written by Michael Higashi

For enterprises doing (or hoping to do) business in the EU using cloud computing, the EU’s Data Privacy Directives can seem like an insurmountable obstacle. The EU’s data privacy regulations are among the strictest in the world, making deploying compliant cloud solutions on EU jurisdiction or for an EU-based organization a challenge. Luckily for those facing such challenges, established technologies like encryption and tokenization can significantly ease cloud adoption and compliance.

Understanding the EU’s Data Privacy Directive and the future of EU cloud computing

The EU’s Data Privacy Directive exists in large part to protect the sensitive and Cloud Data Security and EU Data Privacypersonally identifying information of the consumer, from data breaches and disclosure initiated by cybercriminals, from unwanted sharing by corporate entities, and from spying and government surveillance carried out by national actors, such as the United States. Looking at it from this perspective greatly simplifies things. Essentially, what needs to happen in order for corporations to remain in compliance with EU data privacy law is the protection of sensitive and personally identifying data from any outside access or exposure.

This theme extends to the cloud as well. Cloud computing security standards and regulations are catching up to the more established standards for on-premises computing and data storage, with the European Commission considering cloud data security a key action point to work from and the establishment of the European Telecommunication Standards Institute (ETSI) “Cloud Standards Coordination” report. Expect stricter and more specific rules related to cloud computing to emerge in the coming years.

Organizations hoping to move to the cloud while doing business in or with the EU must consider several factors. Arguably one of the most critical is the compliance status of the cloud providers with whom the enterprise hopes to contract. According to the EU’s data privacy rules, EU citizens’ sensitive data can only be placed in non-EU cloud provider infrastructure when the non-EU cloud provider in question has been certified to provide “Safe Harbor,” meeting the EU’s stringent data privacy and security requirements. Not many cloud providers have achieved this, severely limiting enterprises’ choices.

Encryption and tokenization to the rescue

There is, however, another way to approach EU cloud data privacy and security: by taking proactive steps to secure sensitive or protected data before it ever enters the cloud. Through cloud data encryption and tokenization at the client side, organizations can satisfy many EU data privacy requirements, remaining in compliance without having to rely primarily on their cloud providers’ compliance and security efforts. Proper implementation of encryption and tokenization at the client side, with all encryption keys and tokenized data held securely and exclusively on enterprise premises, protects sensitive information from all outside threats, including inadvertent exposure, intentional hacking or theft, and interception by government agencies.

Today’s threat landscape is a vastly more diverse and complicated one than in years past, and today’s data privacy and security regulations in regions like the EU have grown stricter and more complex in response. At the same time, more and more businesses are realizing that they must leverage the benefits of cloud computing in order to retain a competitive edge. Using methods like encryption and tokenization to secure sensitive data is key to reaping the rewards of the cloud without running afoul of the law.

Next Steps

Ready to learn more about data protection laws all over the world?