From start-ups to multi-nationals and everything in-between, in the last few years we’ve all become dependent on cloud services helping us to deliver cost savings and efficiencies across our businesses.
The cloud is not just present in our work place though, cloud services permeate aspects of our lives from the way we engage with our friends to the way we buy our car insurance and how we shop for food.
What’s yours is mine? Who’s processing your personal data?
In nearly all cases, cloud services to you or your customers will be provided by a third party. They will hold your data and they will process it for you. But do you really know what they are doing with it and what risks that presents to you, your customers and your business?
In this article, we explore some of the key issues you need to consider when using cloud services to limit your exposure to risk, with a particular focus on the new General Data Protection Regulation (GDPR) coming into force in May 2018.
High Standards, Even greater fines.
The GDPR fundamentally changes the way in which businesses will be able to process Personal Data, setting the compliance bar significantly higher than the previous legislation.
And if you get it wrong the potential fines for a serious breach are €20 million or 4% of your global annual turnover!
So if you outsource any part of your business operation to a cloud provider who processes Personal Data (from your payroll to your hosting) you need to make sure that both you and your cloud services provider are compliant. If not, you could well be liable in the event of a breach.
To limit your risk of a cloud provider putting you in breach of the GDPR you will need to ensure you have a contract in place with them and that they have adequate (and compliant) data protection provisions and security standards in place.
The actual level of these standards will depend on the type of data being processed and the type of software or service required – the more sensitive the data they process for you the higher the standards of control need to be – but at the very least you will want to ensure some baseline expectations. This should ideally include provisions that require your cloud supplier to employ at least basic physical, administrative, and technical safeguards to protect confidential information and personal data.
There’s been a breach!
The new GDPR states that if you have a breach, you only have 72 hours to report details of the breach to the regulator. Breaches can come from all sorts of places, and whilst they mostly come from carelessness and human error, they also come from external attacks to your systems (and attacks to the people that host your systems).
So that you don’t lose time in assessing the risks caused by the breach and how you should address it, it’s crucial that they are part of your solution when things go wrong. In the event of a breach you may need to quickly call on them to help you to investigate that breach, what happened and what went wrong. If you can’t contact them at 11pm on a Friday night and have to wait until Monday morning you’ve already lost a significant amount of time. Your contract with them needs to fit into your internal breach management plan and how you are going to remedy the breach. They also have to take responsibility for their own compliance.
The damages incurred by a data breach can be catastrophic for both your business finances and its reputation. The GDPR places a much more stringent obligation on data handlers, so making sure that your technology contracts are up to date with the new law, before it comes in, should be a business critical consideration.
Doing business in the Cloud presents a unique problem around where your data (and Personal Data) is stored. Cloud services will often use servers based outside the EEA and even where Cloud service providers (and their servers) are based in the EEA, their support services and call centres (all of whom have access to your Personal Data) are serviced remotely – often out of UK hours support – in the US, India or further afield.
Under the GDPR in all of these cases the processing of Personal Data needs to comply with the GDPR and you must know where Personal Data you are responsible for is stored or processed.
There are many solutions provided by large cloud services providers which guarantee that processing will only be within the EEA. Do your cloud provider offer this? Even if they do, is their support team, in and out of hours, based inside the EEA. Does your cloud provider outsource their customer support? If they do, does the business they outsource to (who could be processing Personal Data for you) have a contract in place which ensures that they comply with the GDPR?
T&C’s: not as easy as 123.
Chances are that if you are signed up to any cloud services, you are likely to have done this on the basis of their standard terms and conditions.
You will need to revisit these terms in light of the GDPR as they are highly unlikely to meet the much more stringent GDPR requirements.
The GDPR will require you as a data controller to ensure that you have a ‘data processing agreement’ is in place with your cloud provider to ensure their compliance – easier said than done! This agreement needs to impose a number of new obligations on your cloud provider to make sure they comply with the GDPR and work with you if anything goes wrong.
Whilst cloud providers are increasingly becoming savvy to the benefit of amending their standard terms to reflect a need from their customers for GDPR compliance, the pick up is slow. In practice you will find it difficult to negotiate specific terms with your cloud provider so you will need to think carefully about who you pick as a service provider to make sure you remain GDPR complaint.
Termination + Transition Services
The technology behind Cloud services still advancing at breakneck speed but the market is starting to mature. As a result it is highly likely that at some point in time you or your service provider will move to a new Cloud supplier. When this happens you will want the move to be as seamless as possible and not lead to any interruption or downtime for you or your customers.
To make sure you can be nimble when you need to move and ensure a smooth transition, you should make sure that any Cloud contract you agree to allows you to move service providers easily (along with all of your data). During any transition at the very least you will want to make sure your current Cloud provider provides continuous services and transition support until your migration is completed. And again, in all of this you will want to make sure that your service provider complies with their obligations under the GDPR.