Despite the burgeoning column inches designated to articles discussing the looming General Data Protection Regulation (GDPR), the truth of the matter is that most UK businesses are still in the dark over a number of key issues related to GDPR compliance even though the deadline for compliance is a little over six months away.
Let’s be honest, many organisations are still coming to terms with embryonic questions relating to what the GDPR actually is, let alone understanding the intricate details of the regulation, such as what ‘personal data’ really means and what their responsibilities are with regard to the personal data of their customers. Then, when you throw into the mix the fact that conservative estimates indicate that 88% of UK organisations now have a cloud footprint to consider, you can see how the waters muddy yet further.
So, for the many organisation who are now asking “what do we have to do with information stored in the cloud?” we have put together the following three steps which detail how you should interact with your cloud service provider to ensure that you are in compliance with GDPR ahead of 25th May 2018.
Decision makers that are responsible for acquiring cloud services for their organisation must be aware of, and understand, what kind of data they are storing with their providers. If that data meets the definition of “personal data” of an EU citizen under GDPR, then that data will fall under the requirements of that regulation. Under Article 4 of the GDPR, “personal data” is defined as any information relating to an identified natural person or any information that can be utilised, directly or indirectly, to identify a natural person.
While it is obvious that this would include names, ID numbers, and locations, you may not be aware that this includes online identifiers and factors that identify the physical, cultural, or even social identity of a person. Knowing whether personal data of this nature resides with, or could potentially reside with, your provider is significant since it affects whether GDPR would apply.
Once you have determined that personal data of an EU citizen potentially resides with your provider, and thus GDPR would apply, you must then establish the contractual relationship between you and the provider. You will need to designate the Controller and Processor roles and communicate the types of data and controls in place to protect that data to the Processor. Under Article 4 of the GDPR, you would be the Controller, which is the entity responsible for determining the purpose and means of processing the personal data. The provider would be the Processor, which is the entity which processes that data on behalf of you.
Once those roles have been designated within the contract, the types of data and the controls that the Processor has in place to protect that data will have to be detailed. Because the language of Article 5 Section 1(f) of the GDPR only indicates that the processing of personal data must be done in a manner that has “appropriate security” and that utilises “appropriate technical or organisational measures,” you must set your own contractual controls in regards to what the provider must do in order to protect the personal data
These controls would be in the initial contract if you are working with a new provider, but, if you already have a contract with a provider in place and that contract does not account for GDPR, you will need to seek an addendum to that existing contract in order to ensure that both you and your provider comply.
Before and after signing any contracts or addendums with a provider, you should ensure that you conduct your due diligence on that provider in order to validate that they are complying with GDPR. Prior to signing the initial contract with the provider, you should ensure that that provider’s GDPR programme applies to all products, services, and sub-vendors of that provider and not just a small subset of that group. Making sure that this is the case is important in order to avoid unpleasant surprises several months into the contract.
Further, even once all of the data and controls have been agreed to and the contract has been signed, you still need to continuously assess the provider by monitoring and auditing their program. Under Article 28 of the GDPR, the processor must allow you, the controller, to audit its activities in order to ensure that the processor is being compliant with both the regulation and the requirements set forth in its contract.
Understanding how to interact with your provider is a significant aspect of GDPR compliance. Performing the three steps discussed above will ensure that you’re interacting with your provider in a manner that is on track with GDPR compliance.