Time to review your contracts: How GDPR will change the relationship between organizations and cloud service providers
By now, almost every organisation is aware of how GDPR will change individuals’ rights to own their own data when it comes into effect on 25 May 2018. One key principle GDPR establishes is the principle of accountability. It is up to the organization that needs personal data for purpose, referred to as the data controller under GDPR, to ensure enforcement of the privacy principles not only within its walls but also across suppliers with whom it might share the data and subcontractors that might process data on its behalf, known as the data processor. Cloud providers are perfect examples of data processors that your organization might have to deal with in your GDPR compliance project.
So, what steps should your organisation take to build such a culture and ensure accountability beyond your company’s firewall and inclusive of cross-border data transfers? Many organisations are beginning to realise the extent of preparation that will be required to make this a reality.
A 2016 survey by NetApp of IT decision makers in the UK found that 35% believe the responsibility for an organisation’s data sits with its third-party cloud providers, while 3% did not know who would be responsible. Companies are grappling with GDPR compliance during a time of rising security concerns following some recent massive data breaches such as Equifax and Alteryx/Experian that reinforce the importance of data accountability. Under GDPR, data responsibility sits firmly with the data controller – the organisation that collects the personal data in the first instance and then cascades across the other stakeholders when they process it.
Because of this accountability principle, organizations must determine their privacy strategy in regards to the cloud. The knee-jerk reaction might be to avoid using cloud storage for personal data and turn to on- premise storage instead. Lenovo’s approach to customer’s analytics is a perfect example of this tactic. They “decided to do a hybrid big data architecture of Amazon Web Services (AWS) to benefit from the cloud, while using our own Lenovo servers to maintain the privacy and security of our most sensitive data.” Others might rather consider the cloud to be the most effective and secure way to meet the challenges of new data privacy legislation. But then, they need to be more thorough in their cloud procurement process, to make sure both parties understand the risks, responsibilities, and requirements that the cloud provider will need to fulfil.
Some organizations might not even have the ability to proactively choose between the two strategies to their legacy systems: an inspiring article from the Cloud Industry Forum states that an average European company is effectively using 608 cloud apps, but due to shadow IT, is underestimating this number by 90%. Making sure that all the cloud applications that hold personal data are referenced is then the first and foremost challenge. Organizations need to crawl their entire data infrastructure to create and maintain a constant accurate map of their data. Then, they need to pay particular attention when it comes to their third-party systems such as CRM, HR, infrastructures or platforms as-a-service or analytics that are based in the cloud. This will be especially important as they would then need to assess the GDPR readiness of their cloud provider as a data processor and make sure their contract includes a data processing agreement. Similarly, data controllers need to ensure that they can erase the data from their cloud providers when they stop using the cloud service. As consumers will be able to request information on, or the deletion of, all the personal data a company has about them, the data controller has to ensure that they can meet this kind of requirement through their cloud provider.
They also need to clearly define the balance of liability in the event of a data breach. While under GDPR, the data controller (the organisation that processes the data that they captured from their data subjects) is ultimately responsible for reasonably preventing and reporting data breaches, organisations should be looking to ensure their data processor (the cloud service provider), is contractually required to also take responsibility for the safety and security of stored data. This is particularly important in terms of the data controller’s responsibility to notify the supervisory authority (the ICO in the UK), within 72 hours and without undue delay of any data breach. This will require cloud providers (as data controllers) to ensure they are notifying organisations of any security threat as quickly as possible, and needs to be an important consideration in the selection of a new cloud provider.
Organisations will also need to take a far more active interest in the physical location of a cloud provider’s datacentres. Under GDPR, there are specific countries outside of the EU, only a few, that are authorised for the storage of EU citizens’ data. If your cloud service provider is storing your information in a datacentre that is outside of these regions, you will need to ensure that there are Binding Corporate Rules in place to keep the data compliant with GDPR. At the same time, this location information will also be essential to remain compliant with any additional local regulations in the industry and other regional territories that the organisation operates in. It will be essential for organisations to work with cloud providers who can provide clear and transparent location information for their data storage, or else introduce unnecessary risk.
Providing you are working with a reputable cloud provider, and once you’ve established the data governance principles that keep you in control of the data wherever it is processed, the cloud can be a valuable resource for storing personal data and maintaining GDPR compliance. In fact, many cloud providers have already paved the road to GDPR support, so working with those knowledgeable cloud providers can help organisations fast-track their compliance. Nonetheless, ensuring you are familiar with your provider’s GDPR policies and strategy will be crucial for all organisations ahead and then following the 25 May deadline.
GDPR will be a significant change in how organisations approach personal data and their cloud and data management strategy. Early and comprehensive measures to ensure that businesses know what data they have on individuals, where it is stored, and what policies their cloud providers have in place to protect and secure it, will be imperative for business success in the modern, data-driven future.