Bart van BUITENEN – GDPR, DPO, data protection, CISO, ISO27k – is managing partner of White Wire. Bart is very active in the fascinating world of data protection and privacy, specialized in guiding GDPR implementation projects, GDPR audits, DPIAs, ISO27001 implementations and all things data protection and privacy. White Wire is a boutique consultancy firm specialized in assisting healthcare organizations, SMEs and technology firms all over the EU with their data protection needs.
If you are a cloud provider, whether or not based in the EU, it is very likely you are processing personal data on European soil or concerning EU-based persons which means the GDPR applies to you. There is even a specific term to indicate a provider that processes personal data on behalf of an organization: the processor.
A lot of the focus has been put on the role of the ‘controller’, the organization responsible for determining the means and purposes for processing, and not enough emphasis is put on the role of the processor. And yet the GDPR changes many things for processors compared to previous data protection legislation, for example with regards to liability, responsibility and several new obligations. Below you will find what I believe to be the most important aspects for cloud providers (assuming they are indeed processors) to work on for GDPR compliance by the 25th of May 2018.
1 Data processing agreements
Controllers provide specific instructions to processors, and such instructions need to be documented in so-called “data processing agreements”. Such agreements are not new: they were also required under the previous European data protection legislation (Directive 95/46, and consequently the applicable member state law) but in practice correct and complete processing agreements are rare finds indeed.
Most organizations were not aware of the requirement for processing agreements, and for cloud providers, this usually meant more work and responsibilities while getting little in return. This has changed in the GDPR: article 28 specifically mentions data processing agreements and details what they should include. Unlike before, cloud providers now have a clear incentive to create processing agreements: the agreement should include the instructions for the cloud provider, and as such will become a very important part in determining liability. (Art. 82(2)).
- be proactive, don’t wait for the controller to mention the agreement first! This way you have an opportunity to propose your own template and at the same time show to your client that you are on top of this GDPR thing.
Data processing agreements need to be in place for your clients, but cloud providers will often have their own subcontractors. In the world of IT, the use of subcontractors is prevalent and many subcontractors will indeed be processors for the cloud provider. From the perspective of the clients using the cloud (the controllers), these subcontractors are then sub-processors. A cloud provider needs to ask the permission of the controller to use sub-processors, something that should be addressed in your processing agreement (see section 1.). Working with sub-processors can be handled in a generic permission or a specific permission per sub-processor. The processor remains liable, so rock-solid agreements with sub-processors should be high on any cloud provider’s list.
- Asking specific permission can be a hassle, ask for a generic permission and offer clients the opportunity to consult (and object to) a complete list of sub-processors at any time, e.g. by providing that list on a specific web page on your site.
3 Record of processing activities
Every controller should maintain a record of processing activities: a tool or document that details the different personal data processing activities within the organization. A lighter version also needs to be maintained by the processor and should involve all the processing activities carried out for its clients.
- Creating such a record or processing activities will provide valuable insight in finding which data you process and should be one of the first actions in a GDPR implementation plan.
- Organizations sometimes lose themselves in the details, keep in mind GDPR does not require you to map every single data field, and it’s about processing activities which often map very closely with the services being offered to clients.
- Don’t keep a register per client, just make sure you can link clients to processing activities by including the services you offer per client in your CRM or client database.
4 Transfers outside the EU
When EU personal data is transferred to countries outside the EU, it is important that the data receives the same protections and safeguards as within EU borders. To ensure this, the GDPR includes several mechanisms that make this possible, of which the most prevalent ones are:
- Adequacy decisions: when the EU has determined that a country outside the EU (or a specific agreement with such a country, e.g. Privacy Shield with the US) offers adequate protection it will take an adequacy decision. Link to current adequacy decisions: http://ec.europa.eu/justice/data-protection/internationaltransfers/adequacy/index_en.htm
- Binding Corporate Rules (BCR): many multinationals will have establishments in countries outside the EU. BCR document which measures an organization takes to ensure that a transfer of personal data outside the EU, but within the same organization, still offers adequate protection. Data Protection Authorities need to validate BCR before they can be applied
- Standard Contractual Clauses (SCC): template contracts, validated by the European Commission, that once again contain safeguards that should guarantee adequate protection when personal data are transferred outside the EU. Link to SCC:
- Privacy Shield and SCC are under scrutiny and may well be invalidated in the not too distant future. If at all possible, keep data within the EU.
5 Information Security vs data protection
Information security and the protection are not the same. Information security concerns all information, which includes personal data. Data protection concerns all aspects regarding the processing of personal data, which includes securing the information. So there is a clear overlap, but also a significant difference.
That being said, securing the information against unauthorized access, loss or destruction is a very important aspect within GDPR. In short, this aspect of the GDPR can be summarized as maintaining the confidentiality, integrity and availability (also known as CIA) of personal data that a cloud provider processes. Keep in mind that any violation of these CIA principles (e.g. data breaches) will need to result in a notification to the controller, who in turn may need to notify data protection authorities and data subjects if the potential risks of the breach are high enough.
- Align GDPR initiatives to information security governance. For example, the ISO27001 norm can be combined with data protection principles to provide a framework that addresses both information security and data protection.
- Think about and document a notification procedure BEFORE you actually need it.
- Review your need to apply a data protection officer (DPO). Even when clients individually don’t need to appoint one, a cloud provider may still need to appoint one.
6 Obligation to assist and notify
Processors are obliged to assist or notify controllers when they have information that a controller needs to fulfil GDPR requirements, such as performing DPIA’s or the before mentioned data breach notifications.
- Document (e.g. in the processing agreement or another contract) how the assistance should take place: how should a request be made, within what timeframe will the cloud provider respond, are there any costs associated with the assistance…?
7 Every processor is also a controller
Keep in mind, it is extremely likely that cloud providers are controllers in their own right. Processes in departments such as HR, Suppliers, Clients all include the processing of personal data and will need to follow GDPR principles.
- Keep separate records of processing activities (see section 3) for controller and processor activities.
Romanian version of this article is part of first GDPR Ready catalogue published in Romania in October 2017. You can view the online version of the catalogue HERE. GDPR Ready Catalogue, pag. 50-53, Agora Group & cloud☁mania, Bucharest, October 2017,