GDPR and the impact on cloud computing
The effect on agreements between enterprises and cloud service providers
How will cloud computing change by the GDPR? What are the general privacy challenges and the GDPR specific challenges to anticipate?
Moving to the cloud
More and more enterprises are moving to the cloud. This can have big advantages for an enterprise: it also allows for a better optimisation of IT resources because cloud solutions are almost unlimited scalability and have a great flexibility. All at a contained cost.
Typically a cloud service provider would qualify as a processor when your enterprise uses their services. The cloud service provider will process personal data, which are stored within their databases or servers, on your behalf: the controller. The cloud service provider cannot do anything with your data, unless you instruct them to do so and the data remain within your controllership.
With the use of cloud services, challenges for enterprises will arise. Some challenges are (1) general privacy challenges of cloud computing and then (2) more GDPR specific challenges. These challenges must be anticipated when using cloud services, and the discussion of these challenges will form the main part of this blog.
General privacy challenges of cloud computing
One of these challenges in cloud computing is connected to the sensitivity of the entrusted information. As an enterprise you can host almost any type of information in the cloud, including sensitive information, which increases the risk of uncontrolled distribution of this information to third parties (i.e. competitors). Third parties you do not want to give access to your information. If a cloud computing solution is chosen where data processing and/or storing premises are shared, the risk of information leakage is present.
Next to this, it can be a challenge for enterprises to determine the applicable law. With cloud computing the relation of data to a geographical location can be blurred. It is not always clear where data are stored. Therefore it can be difficult for an enterprise to determine applicable law. Within the EU, the physical location is a decisive factor to determine which privacy rules apply. However, in other jurisdictions other regulations may apply. This challenge becomes more difficult because of the volatility of data in the cloud. Data may be transferred from one location to the other regularly or may reside on multiple locations at a time. This makes it hard to determine applicable law, and watch data flows.
Another challenge lies in the externalisation of privacy. Enterprises that make uses of cloud service providers expect that the privacy commitments they have made to their own customers and employees will continue to apply by the cloud service provider. If such a provider operates in many jurisdictions, the exercise of rights of data subjects may be subject to different conditions as well. Therefore it is advised to try negotiate a tailored contract with clauses incorporated about these privacy commitments, next to agreements about the controller and processor relationship.
GDPR specific challenges
Implementing retention effectively in the cloud. In general, under the GDPR personal data may not be stored longer then needed for the predefined purpose. Therefore, retention periods must be implemented and it must be able to delete data effectively when retention periods has expired: both for data locally stored and in the cloud. The difficulty here is that data can be stored on multiple locations, under multiple jurisdictions, by cloud service providers, and therefore there is the challenge to identify and manage multi-jurisdictional retention requirements. The deletion of data will also impose a challenge. To delete data completely, backups must be taken into consideration as well. Therefore, it is important to have a clear overview of how backups are secured and retention is managed by your cloud service providers.
Breaching response and coordination. Breach notification obligations and protocols must be included in data processing agreements with cloud providers. The contract must define a breach event and describe a procedure for the provider to notify your enterprise about any breaches without undue delay. Even if the cloud provider experiences a data breach that impacts multiple customers, the controller (you) should own external communications and manage the overall breach with their support. What controllers don’t want is a breach making headlines before their provider notifies them of the breach and before the controller is able to notify local authorities.
Processing of personal data outside the European Economic Area (EEA). Because data can be stored within multiple location by cloud service providers, it might be possible that personal data are stored outside the EEA. For this processing, appropriate safeguards must be taken if no adequacy decision have been made about the country where the data resides. Controllers will need to define a multi-country cloud strategy to adhere to adequacy requirements as well as data localization laws.
Data portability for the controller. Controllers must be able to facilitate the right of data portability for data subjects. If the data of the controller is in the cloud, it must be possible for the controller to retrieve the data in a structured, commonly used and machine-readable format to provide to the data subject or another controller. It is important to make agreements about this with cloud providers that are engaged by your enterprise. Providers will need to provide the technical capability to ensure controllers can satisfy this data subject right.
Data ownership. As a controller you must maintain control and ownership of your own data. Therefore this must be spelled out in contract. Next to this, you must confirm that, according to the host-countries’ laws, your company retains ownership of the transferred data.
Risk management. Cloud service providers must be subject of your third party risk management. To determine any risks that may arise when using a cloud service provider a Data Protection Impact Assessment (DPIA) and a security assessment can be performed. Next to this, the right to audit cloud providers must be incorporated in the agreements concluded with these providers. In order to perform a proper audit, a control framework with privacy and privacy by design control measures must be defined next to an appropriate audit plan.
Cloud architecture and privacy by design. As a controller, when engaging a cloud provider, you should understand the underlying technologies the cloud provider uses and the implication that these technologies could have on the security safeguards and protection of the personal data stored in the cloud. The architecture of a cloud provider’s system should be monitored to address any changes in technology and recommended updates to the system.
Visibility regarding metadata and Data Minimisation. If you, as a controller, are interested in entering into a Service Contract for cloud services you should obtain information regarding the types of metadata collected by the Cloud Provider. Consider what level of protection is afforded to metadata, the respective ownership rights, rights to opt out of collection or distribution of metadata, and intended uses of metadata.
Security of Privacy. As a controller you are not in control over the cloud provider’s (IT) environment and you must rely upon (IT) controls that the provider has in place. Therefore, it is always necessary to assess to what extent the provider is able to comply with your IT Security requirements. This could be done via the third party risk management process. Next to this, you also must assess what kind of IT Security and privacy measures or certifications the provider has in place. Cloud providers can demonstrate compliance with security and Privacy by Design in several ways:
- With the results of a performed DPIA;
- By being ISO 27001 certified (information security management system);
- By being ISO 27018 certified (code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors).
If your enterprise is using cloud service providers it is necessary to have a good overview of your data lineage. You want to know where the data are stored, how it can be transferred and what access possibilities you have to your own data. The location of your data is important to determine applicable law. You also want to check whether the security measures the cloud provider has taken are sufficient, an audit can be a good measure to do an assessment on these measures so you want to incorporate this right in your agreements.