Are you a controller of personal data under the General Data Protection Regulation ("GDPR") who uses a cloud services provider ("CSP"), or are you a CSP who acts as a processor to a controller customer who has engaged you to provide it with cloud computing services ("CCS")?
If you answered yes to either question, you are required to be aware of the data protection risks associated with the provision and receipt of CCS and to comply with GDPR obligations appropriate to your status as controller or processor of personal data. Helpfully, the Data Protection Commission ("DPC") has issued a CCS guidance note dated October 2019: "Guidance for Organisations Engaging Cloud Service Providers" which is a useful addition to the range of advice issued by the DPC and provides useful clarification for both customers and suppliers of CCS.
CCS OBLIGATIONS UNDER GDPR
Controllers have an obligation under GDPR to process personal data in a way that ensures appropriate security (as per the data protection principles of integrity, confidentiality and security). The DPC highlights that organisations must ask whether they have appropriate technical and organisational measures in place and ensure their processors do too. The DPC has separately issued guidance
for controllers of personal data on data security, which is a reference guide to assessing whether appropriate security measures exist or are required to be implemented. As the DPC states in the CCS guidance "the use of any cloud services as part of [data controllers'] business is an important area in which organisations need to ensure there is adequate security for the personal data they process".
CLOUD COMPUTING UNDER GDPR
The DPC notes that "people often mean different things when they talk of processing data `in the cloud'", which is undoubtedly true. The CCS guidance is not intended as a detailed guide to cloud computing or different types of CCS and thus generally describes cloud computing, for both controllers and processors, as "usually involves" an external CSP doing some or all of the processing or storage of personal data "on servers and/or in a data centre" under that CSP's control. The DPC notes that CSPs' will "in many cases" be acting as data processors and reminds CSPs to be aware of their obligations as processors, which are less onerous than those that apply to controllers. Whether a CSP is a data processor or controller is a question of fact, which can be a difficult analysis.
TYPES OF CLOUD COMPUTING
The DPC identifies three CCS models, which may involve the provision of a physical infrastructure, operating system, and/or processing software:
The DPC also discusses the distinction between a private, public and hybrid model CCS. It points out the possibility of a chain of CCS applying, where a CSP, acting as a sub-processor, provides CCS to another CSP, who has the ultimate contract relationship with the customer, generally the data controller. The DPC also points to the complicated scenario arising where CSPs "are also data controllers, or `joint controllers'". Again, the question is always one of fact. Overall, the DPC references to CCS service models and architecture models accord to most common industry categorisations.
CCS ASSOCIATED RISKS
The recent CCS boom has offered businesses of all sizes a range of new and favourable storage options. The DPC states it is essential for businesses looking into CCS (or those already engaged with a CSP) to ensure adequate security of personal data being stored in the cloud. Issues may arise where controllers relinquish control of data to their CSP, where there is insufficient information around the service and its safeguards, or where the CSP is unable to adequately support the controller's obligations and/or data subjects' rights. The CCS guidance mainly focuses on CCS risks and recommended steps to remove and reduce such risks.
THE MEANING OF "CONTROL"
The CCS guidance is clear that a data controller "must remain in control of the personal data it collects when it subcontracts the processing to a cloud provider". This
is a key obligation, which cannot be waived or contracted out of. If the data controller cannot demonstrate control, it may potentially be in breach of GDPR. The DPC states that control requires:
SECURE CLOUD COMPUTING
Under GDPR, a controller may only engage a processor if the latter provides sufficient guarantees to implement appropriate technical and organisational measures. Controllers and processors are responsible for ensuring that such measures are commensurate to the risk. In practice, this is a key area of customer difficulty with the procurement of CCS, which in essence is output measured. Customers do not have, and generally the CSP will not or cannot allow its customers, visibility of what goes on under the hood, whether in real time or on ad-hoc basis (e.g. by way of inspection or audit). The DPC states that "a controller must therefore be satisfied that personal data will be secure if it is outsourced to a cloud provider". The reference to outsourcing is interesting and it was long challenged by the cloud industry that this was a form of outsourcing, which is a well understood commercial sector in terms of risk management and commercial arrangements. The industry has largely succeeded in creating a commercial and contractual model, as well as a financial model, unique to itself.
The DPC states that with reference to security, controllers must be satisfied in two main areas. That the CSP:
CSP ASSURANCES
The DPC states that controllers must seek assurances from potential CSPs on key issues, including:
Controllers must be satisfied with such assurances both in advance of entering the contract with the CSP and throughout the arrangement. This may be achieved by:
As mentioned above, customer inspection or audit is a difficult topic in the CCS sphere. In practice, more sophisticated CSPs will commission third party audit-style reports which can be made available to customers. Overall, it is difficult for the customer of a CSP to obtain much if any change to the established supplier financial, technical and contractual model. This is especially true with reference to the large service providers. In certain market sectors, CSPs are more willing to engage in some degree of dialogue, or have pre-prepared responses to the type of requirements listed above, the financial services sector being a prime example. That is arguably as much due to sector specific regulatory requirements as the market leverage of the customer base. For customers lacking leverage, or regulatory requirements to reference, contracting with market leading CSP's is challenging. This includes the public sector, where individual agencies in Ireland are in most cases of modest enough size and thus represent modest enough spend. These specific guidance statements are perhaps the most difficult part of the CCS guidance for data processors to comply with. The more important, but broad, statements in relation to data controllers remaining in control are perhaps not so difficult, if only because CSP contracts deliberately do not express or imply CSP control, which is a condition CSPs strongly argue against as a matter of fact.
TRANSPARENCY REQUIREMENTS
Under GDPR, the CSP as a processor may avail of approved codes of conduct or certification mechanisms to help demonstrate compliance of elements of their processing. This allows a controller to assess if the arrangement is appropriate to the processing operations being contracted. A high level of transparency is required between a controller and data subjects when that controller is processing those data subjects' personal data through a CSP. The CSP must be able to account for its processing operations. The DPC states that a controller must be satisfied as to the CSP's:
LOCATION, LOCATION, LOCATION
Personal data held in the EEA benefits from a common standard of EU protection. Such protection may extend to data transferred outside of the EEA by relying on one of the following mechanisms under GDPR:
CONTRACT PARTICULARS
The DPC states that a number of key points must be covered in the contract between a controller and its CSP, including details of how the CSP will:
The contract must also outlined the subject-matter, scope, nature, context, purpose and duration of the processing, and how types and categories of personal data are dealt with at commencement, transfer, routine processing and `end-oflife' (including return or deletion).
CONCLUSION
Overall, the DPC's guidance offers welcomed clarity to those seeking to engage or renew their commitments to a CSP in the age of GDPR. In doing so, organisations should keep the DPC's main message in mind and ask whether they (or their CSP) have the appropriate technical and organisational measures in place. We recently published an article on public sector procurement of CCS, which can be read in conjunction with this GDPR related article here.
Go here to read the rest:
GDPR and the Cloud - Helpful DPC Guidance for Organisations - Lexology
- Open source cloud computing slow to catch on, survey finds [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- Oracle CFO: no acquisitions needed to compete in cloud [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- IDC Survey: U.S. Corporations Aim to Tackle IT Challenges with Cloud Computing [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- Where does the ICO's new cloud guidance take you? [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- ChinaSoft International Signs Strategic Cooperation Agreement with Alibaba Cloud Computing to Develop PaaS Platform [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- IT Leaders Forum: Shedding light on cloud computing [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- Oracle Public Cloud Computing [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- Oracle Cloud Computing - Video [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- Cloud Computing 101 - Video [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- Lenovo Gets Into Cloud Computing - Video [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- Cloud Computing Certification Training | Cloud Computing Training By Simplilearn - Video [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- Cloud Computing - Video [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- Succeeding or Failing with Cloud Computing - Video [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- Demystifying the Cloud - Video [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- N: Cloud Computing, Syria PM Defects, US to Clean Agent Orange and MORE! - Video [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- Cloud Computing - Tv9 - Video [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- AWS 101 Cloud Computing Seminar-Bangalore - Video [Last Updated On: October 5th, 2012] [Originally Added On: October 5th, 2012]
- Trust - The Key to Cloud Computing Growth in Europe [Last Updated On: October 6th, 2012] [Originally Added On: October 6th, 2012]
- Cloud Computing Saves Health Care Industry Time And Money [Last Updated On: October 6th, 2012] [Originally Added On: October 6th, 2012]
- Synnex CEO Kevin Murai: Tablets, Mobile, Cloud Computing (p3) - Video [Last Updated On: October 6th, 2012] [Originally Added On: October 6th, 2012]
- Enterprise computing IS the cloud [Last Updated On: October 8th, 2012] [Originally Added On: October 8th, 2012]
- 44 Percent Of US Execs To Tackle IT Challenges Through Cloud [Last Updated On: October 8th, 2012] [Originally Added On: October 8th, 2012]
- ZapThink Announces Expansion of Cloud Computing for Architects Course [Last Updated On: October 9th, 2012] [Originally Added On: October 9th, 2012]
- Euro Zone Eyes Cloud Computing to Kick Start Economy [Last Updated On: October 9th, 2012] [Originally Added On: October 9th, 2012]
- Advantages, challenges of cloud computing discussed Oct. 10 at NJIT [Last Updated On: October 10th, 2012] [Originally Added On: October 10th, 2012]
- Dell Expands Cloud Client Computing Solutions for VMware View®, Desktop as a Service and Channel Offerings to Europe [Last Updated On: October 10th, 2012] [Originally Added On: October 10th, 2012]
- Cloud West to Focus on Entertainment Delivery, Network Infrastructure, and Investment, More at Nov. 8-9th Forum [Last Updated On: October 10th, 2012] [Originally Added On: October 10th, 2012]
- IBM, AT&T Offer Secure Passage to the Cloud [Last Updated On: October 11th, 2012] [Originally Added On: October 11th, 2012]
- Cloud computing company hits new fundraising heights [Last Updated On: October 11th, 2012] [Originally Added On: October 11th, 2012]
- Cloud computing firm hits new fundraising heights [Last Updated On: October 11th, 2012] [Originally Added On: October 11th, 2012]
- Cloud computing: here we go again [Last Updated On: October 11th, 2012] [Originally Added On: October 11th, 2012]
- Chinese Want to Put Computer 'Brains' in the Cloud [Last Updated On: October 11th, 2012] [Originally Added On: October 11th, 2012]
- CenturyLink Unveils Cloud Product [Last Updated On: October 12th, 2012] [Originally Added On: October 12th, 2012]
- Cloud Security Evolves in Wellington [Last Updated On: October 14th, 2012] [Originally Added On: October 14th, 2012]
- 2X ApplicationServer XG Joins the Intel AppUp SMB Service Hybrid Cloud [Last Updated On: October 15th, 2012] [Originally Added On: October 15th, 2012]
- Piston Cloud to Exhibit and Present at the 2012 OpenStack Summit in San Diego [Last Updated On: October 15th, 2012] [Originally Added On: October 15th, 2012]
- How to get your first cloud computing job [Last Updated On: October 15th, 2012] [Originally Added On: October 15th, 2012]
- DreamHost Adds Public Cloud Computing Service: DreamCompute [Last Updated On: October 15th, 2012] [Originally Added On: October 15th, 2012]
- Aryaka Receives 2012 Cloud Computing Excellence Award [Last Updated On: October 17th, 2012] [Originally Added On: October 17th, 2012]
- Making a Europe fit for the cloud [Last Updated On: October 17th, 2012] [Originally Added On: October 17th, 2012]
- Cisco Execs Plumb The Limits Of Cloud Computing [Last Updated On: October 17th, 2012] [Originally Added On: October 17th, 2012]
- Cloud firm invests in new network [Last Updated On: October 17th, 2012] [Originally Added On: October 17th, 2012]
- AirWatch Receives 2012 Cloud Computing Excellence Award [Last Updated On: October 17th, 2012] [Originally Added On: October 17th, 2012]
- Dell Extends Cloud Client Computing Portfolio with New Solutions Validated by Citrix [Last Updated On: October 17th, 2012] [Originally Added On: October 17th, 2012]
- Pano Logic and Alliance InfoSystems Join Forces to Deliver Zero Client Computing [Last Updated On: October 17th, 2012] [Originally Added On: October 17th, 2012]
- 5 Cloud Business Benefits [Last Updated On: October 17th, 2012] [Originally Added On: October 17th, 2012]
- Alteva Receives 2012 Cloud Computing Excellence Award [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- Open Text profit beats estimates on cloud services [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- Cloud computing improves nurse call system [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- Cloud computing: Top five tax considerations for your business [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- OKI and ISID to Provide Chemical Information System as Cloud Computing Services [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- As Mobile Grows, So Does Cloud Computing [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- IBM Analytical Decision Management SaaS - IBM Cloud TechTalk October 2012 - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- JAX London 2012: Achieving genuine elastic multitenancy with Waratek Cloud VM for Java - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- Microsoft 2020 technology future vision - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- Infinity Cloud Point of Sale and Complete Retail Suite.mp4 - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- Small Business IT Support, Computer Support, Web Design Atlanta - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- Cloud Computing - Simplified - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- How Allied Valve Used the Cloud to Expand in Bakken Oilfield - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- Cloud Computing in the Public Sector - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- Cloud Computing | Sacramento | Data Protection | IT Consulting | Symmetry Managed Servces - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- The Business Value of Cloud Computing - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- GYMNAZO Owner/Coach Michael Hughes is excited about edufii - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- Automation in the age of cloud computing - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- Cloud Computing.mp4 - Video [Last Updated On: November 1st, 2012] [Originally Added On: November 1st, 2012]
- Cloud computing in 2013: a conversation with Appcore's CEO [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- Cloud adoption growing in India: study [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- Eastday-Microsoft picks city for cloud computing [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- Towards a blue sky: How SMEs can avoid Cloud Computing confusion [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- Consultancy Services - Video [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- Axxis Solutions Sponsors FIBA Technical Seminar on Cloud Computing - Video [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- RightScale Webinar: 451 Research Webinar: Cloud Dos and Don'ts - Video [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- Apple Technology (Vishwa Bandhu Gupta) - Video [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- Mind Tree Ltd. - Video [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- BIM Cloud Computing [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- Entreda discusses cloud services for small and medium businesses - Video [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- Austin IT Company | Computer Networking [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- Cloud Computing and Services - After Effects Template - Video [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- FieldStorm App Tour - Video [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]
- The Hon Brendan O'Connor's speech: AccountRight Live launch event - Video [Last Updated On: November 3rd, 2012] [Originally Added On: November 3rd, 2012]