GDPR and the cloud - part two

The cloud offers significant advantages to traditional data storage models, such as access to data on the move, affordable pricing structures, efficient back-up solutions and flexibility. These benefits can enable businesses to adapt, grow and increase profitability. However, increased regulation in the age of the General Data Protection Regulation (GDPR) presents challenges for cloud providers and their customers. Although controllers have long been required to safeguard personal data, the GDPR recognises the role which processors play in the protection of personal data and places them directly under its scope and authority. Following from our introductory article on GDPR and the cloud – part one, we take a closer look at some of the data processing challenges.

GDPR liability for data processors

The GDPR introduces direct obligations on processors such as cloud providers, in particular:

• Processor clauses. In the past, cloud providers often attempted to push back compliance obligations onto controllers, seeking confirmation from controllers that their processing would be consistent with data privacy laws. Under the GDPR, controllers must only use processors who can demonstrate compliance. Article 28 GDPR prescribes certain clauses that should be inserted into service contracts between controllers and processors. The new clauses make it clear that processors, like controllers, must work to safeguard personal data.
• Direct liability for data processors. Processors have direct obligations under the GDPR. Under Article 82 GDPR , individuals who have suffered damage as a result of a processor's failure to comply with its obligations have a direct right to compensation from the processor. It is clear that processors can no longer seek to rely on controllers, or cleverly drafted clauses within service agreements, for compliance; they must take positive action to verify their own compliance and work closely with controllers to limit their exposure. 

Demonstrating compliance

Given the increased emphasis on compliance, cloud providers (and those who use cloud providers in providing their own services) should consider the following steps:

• Understand what is being processed. Cloud providers must be able to demonstrate a level of security appropriate to the risks. It is important that they are aware of, and understand, the type, nature, context and purpose of their data processing activities and continually assess the adequacy and effectiveness of their systems. Providers that can tailor platforms, services and security will be attractive to controllers seeking assurances that personal data will be adequately protected. 
• Appoint sub-processors with care. As detailed in GDPR and the cloud – part one, individuals must be properly informed about how their personal data will be used and should be confident their personal data is secure. This requirement for transparency raises challenges for cloud providers, which often use distributed storage located across different territories and platforms and enlist sub-processors in the provision of their services. Not only do cloud providers need to be aware of exactly where sub-processors are performing the services – they are required to obtain authorisation from the controller (whether specific or general) prior to enlisting sub-processors. Where cloud providers do appoint sub-processors, they must pass down the same obligations and ensure that sub-processors provide sufficient compliance guarantees. Crucially, a cloud provider will be liable for its sub-processor's failure to comply with its obligations.
• Be prepared to notify data breaches. Controllers and processors are subject to a new breach notification regime under the GDPR. A cloud provider, as a processor, must report a personal data breach to its customers (the controllers), which must in turn notify relevant breaches to their national supervisory authorities within 72 hours, and in some cases to affected individuals. Controllers must be in a position to provide information regarding the nature of the breach, the categories and approximate number of individuals affected, the number of records concerned, the likely consequences of the breach and how its effects can be mitigated. Controllers will look to cloud providers to assist with the reporting and mitigation of data breaches. Cloud providers will therefore be expected to have mechanisms in place to respond to breaches quickly and accurately. Where sub-processors are enlisted, they too must have appropriate mechanisms in place to enable prompt reporting. All parties should work together to ensure compliance. 

Proactive and innovative

The GDPR offers cloud providers with an opportunity to position themselves ahead of the curve in terms of compliance. Cloud Infrastructure Providers in Europe (CISPE), a trade association of infrastructure providers, has issued a "Code of Conduct" to help cloud infrastructure providers comply with the strict requirements under the GDPR as well as providing a framework to help end-users select cloud providers and build trust in the services. The code of conduct has yet to be approved by the Commission but shows a commitment from the industry to ensure that its services are compliant with the GDPR.   

Customers will be keen to ensure that their providers understand the processing activities, offer appropriate services in relation to the type of data which is to be processed, tailor security measures relative to the risks of the processing and have mechanisms in place to promptly identify and notify them of any data breaches. Cloud providers that take a proactive approach to data protection, offering transparent, flexible solutions and well-documented compliance mechanisms, will be well placed to compete for business, offering customers reassurance that data protection is central to their activities. 

Byte-sized news

• Data Protection Act 2018 passed. The UK's Data Protection Act (the Act) recently received royal assent and its main provisions entered into force on 25 May 2018. The Act updates data protection laws in the UK by supplementing the GDPR, implementing the EU Law Enforcement Directive and extending data protection laws to areas which are not covered by the GDPR. New powers are granted to the ICO under the Act including issuing urgent notices requiring a response in no less than 24 hours, compelling people and organisations to hand over information, and making it a criminal offence to destroy, falsify or conceal evidence. The Information Commissioner's Office (ICO) intends to produce a suite of guidance to cover the Act, which will be published under a new Guide to Data Protection.
• ICO consults on Regulatory Action Policy. The ICO has recently launched a consultation on its Regulatory Action Policy (the Policy). The purpose of the policy is to set out the objectives which will guide the ICO when taking enforcement action under legislation including the Data Protection Act 2018, the GDPR and the Privacy and Electronic Communications Regulations 2003. The ICO states in the Policy that it will be as robust as it needs to be in upholding the law, whilst ensuring that commercial enterprise is not constrained by red tape, or concerns that sanctions will be used disproportionately. The consultation is open until 28 June 2018 and the finalised Policy will be subject to Parliamentary consideration and approval.
• NCSC and ICO release GDPR Security Outcomes. The National Cyber Security Centre (NCSC) and the ICO recently released joint guidance (the Guidance), which describes a set of technical security outcomes that are considered to represent appropriate technical and organisational measures under the GDPR. The outcomes are intended to provide a common set of expectations that can be met by organisations either through following existing guidance (such as the NCSC Small Business Guide or the ICO's Practical Guide to IT Security), using particular services, or through the development of a bespoke approach.  The NCSC and ICO note that an outcomes-based approach enables scaling to any size or complexity of organisation or data processing operation.
  
  With special thanks to Helena Brackenridge and Tom Brookes for their contribution.