GDPR and the cloud - part one

Businesses are embracing the flexibility, agility and efficiency provided by the cloud at an ever increasing rate, and cloud providers have responded by developing a vast number of solutions to suit the varied needs of their customer base.  Migrating IT services to the cloud, however, requires careful planning on the part of both provider and customer. Full consideration of the data protection implications is a critical element of this. 

Beyond existing obligations under current data protection law, the General Data Protection Regulation (GDPR) will introduce new challenges for both customer and provider of cloud solutions. This three part series aims to dig a little deeper into the key issues, namely:

1. direct obligations on the cloud provider as a data "processor";
2. greater transparency requirements and data subject rights; and
3. enhanced breach notification requirements.

New processor obligations

In the vast majority of cloud services arrangements, the cloud provider will be a data "processor" and the customer will be a data "controller" in the eyes of data protection law. This means that the cloud provider processes personal data that is under the control of the customer – the provider may not do anything with the data outside the scope of the customer's specific instruction nor use it for its own purposes.

Significantly, the GDPR will introduce certain direct obligations for data processors who will, like data controllers, be subject to penalties and direct claims by individuals. The GDPR also requires that a controller only use processors who provide sufficient guarantees to implement GDPR-level technical and organisational measures. On-going rights of customer audit and detailed risk assessments will therefore form an integral part of the relationship between the cloud customer and provider under the new regime. Ensuring proper flow down of processor obligations will be key to ensuring compliance.

Transparency requirements and data subject rights

As detailed our last issue of Data Bytes, transparency is central to the GDPR. Individuals must be properly informed about how their data will be used, where it may be transferred, and be confident that it is secure.  Cloud services present a challenge here as, by their very nature, they utilise distributed storage often located across different territories. 

Both provider and customer will need to fully understand where personal data is held geographically and be comfortable that notifications to the individual adequately explain the processing of their data, especially where data transfers may be made outside the EEA. Similarly, enhanced rights of the individual under the GDPR to access and rectify their personal data, coupled with new portability, erasure and restriction requirements may prove difficult to administer in practice given the physical dispersal of personal data in the cloud.

Breach notification requirements

Controllers and processors are subject to a new breach notification regime under the GDPR.  A cloud provider, as data processor, must report a personal data breach to its customers, who must in turn identify the breach to their national supervisory authority within 72 hours, and in some cases to affected individuals, following specifically prescribed requirements. Practically, the customer will need significant assistance from the cloud provider when issuing such notifications.  Both parties must therefore have an agreed mechanism in place to respond to breaches in accordance with the GDPR and adequate resources and training to ensure appropriate steps are taken quickly.

Success is where preparation and opportunity meet…

Ultimately, despite these challenges, the GDPR represents a significant step forward in terms of customer control over personal data in the cloud and overall transparency and security for the individual. Similarly, it presents new opportunities for those cloud providers who are quickest to position themselves as a truly GDPR-compliant, hassle-free solution. Each challenge posed by the GDPR can be properly prepared for and documented in a tight, well-planned agreement between the customer and provider.  Look out for more information about these issues in our GDPR and the Cloud – part 2 which will be available on 28 May 2018. 

Byte-sized news

• ICO updates right to data portability guidance. The Information Commissioner's Office (ICO) has recently updated it's Guide to the General Data Protection Regulation (the Guide) to include more detailed guidance on the right to data portability.  Helpfully, the Guide now contains checklists to assist organisations in preparing for, and complying with, data portability requests and provides clarification on how organisations should provide personal data.  Specifically, the ICO advises that the Open Data Handbook, published by Open Knowledge International, should be used by organisations to interpret terms which are not defined in the GDPR such as "machine readable" and "structured". The ICO also notes that the Data Protection Bill contains exemptions from the right to data portability and therefore the Guide will be updated once the bill is finalised in order to provide further detail on the application of the exemptions. 
• Article 29 working party issues guidelines on consent. Article 29 working party, the European Commission's working party for data protection, has recently adopted its guidelines on consent. The guidance sets out when consent can be relied upon as a legal basis for processing personal data. When relying on consent, controllers must continue to observe principles of fairness, necessity, proportionality and transparency. Importantly, organisations should remember consent does not legitimise the collection of personal data that is not necessary in relation to a specified purpose of processing, nor does it allow processing which would otherwise be fundamentally unfair.
• European Commission initiative to increase availability of data in the EU. The European Commission has put forward new measures to open up data for re-use to make data sharing easier.  In an attempt to fuel innovation, the Commission has proposed to make publicly available data, public utilities data, environmental data, research and health data, available to develop innovative services. The Commission estimates legislative reforms of this nature will increase the EU's data economy to €739 billion by 2020. The Commission also sets targets for 2020 to have increased AI research and innovation by at least €20 billion across both public and private sectors. The proposals are aimed at improving the reusability of public sector data, extending private sector data sharing in the business-to-business and business-to-government context and enabling better access to scientific information. 

With special thanks to William Barrow, Tom Brookes, Helena Brackenridge and Inbali Iserles for their contribution.