IAPP CIPT – GDPR for Cloud Service Providers (CSPs)

1. Cloud and GDPR Concerns

Hi guys. We’ll discuss about cloud and GDPR concerts. As the GDPR is a lot about consent or other legal grounds for lawful processing, about data subject rights, privacy and putting back the control of personal data in the hands of people in general. It clearly requires a risk perspective approach, meaning the risks from the view of the data subject’s, personal data protection, not your company’s risk in a strategic, planned and holistic way. And obviously, technologies are involved.

Technologies are part of the risks and challenges to address and part of the solutions in many GDPR compliance efforts. Among the technologies that are affected by the GDPR and Eprivacy regulation, we will mention IoT Internet of Things and we will debate about this in the end of the course in section four. And among the technologies that can help bring GDPR compliance closer, we mention artificial intelligence. In our full GDPR course, artificial intelligence, or AI can help with metadata and retention schemes through automatic classification and metadata extraction.

And there is indeed a growing attention for artificial intelligence in the overall GDPR picture. Of course, many technologies stand on both sides as risks and as enablers to prevent risks or solve issues regarding the rights which data subjects have under the GDPR. Even more recent technologies such as Blockchain have been cited as ways to achieve GDPR compliance, as it is still very early days. With regards to the latter, let’s take a look at the technologies that do cause concerns and headaches from a GDPR perspective in many organizations.

Starting with the cloud. Well, it’s pretty inevitable to start with GDPR and cloud, as cloud computing is adopted in such high degrees and is still the foundation for many digital transformation initiatives with big data analytics, mobile and social. Cloud is still the foundation of the third platform upon which all those innovation accelerators are added, enabling digital transformation overall and the transformation of industrial markets increasingly known as Industry 40. In general, the Cloud SaaS is Pas infrastructure as a service platform.

The service cloud applications and particular cloud solutions, file sharing, cloud storage, et cetera have caused concerns, and this is logical. After all, the public cloud and hybrid cloud models by definition involve workloads and information that are not on premises, but distributed, managed and processed across hardware, software and network systems of third parties. It is clear that mainly with public cloud and cloud applications which directly can touch personal data, as many tend to do, just think about CRM marketing, automation, collaboration tools, et cetera. There have been quite some concerns. Several cloud companies announced that their cloud solutions are ready for GDPR already or will be ready in the near future. Concerns regarding GDPR and cloud, and which are the facts about that. Still, concerns regarding the cloud remain.

According to some researchers whooping 93% of companies is concerned with data storage in the cloud after the GDPR. Moreover, 91% of respondents are concerned about how GDPR rules will impact cloud services. The respondents weren’t exactly beginners 500 It decision makers from companies with over 100 employees and $15 million turnover. Despite concerns about GDPR and cloud, only 26% said they picked a cloud provider because they trust its GDPR effectiveness. That makes GDPR effectiveness far less important than scalability pretty much the essence of cloud, which method as a decision criterion for 41% of respondents. But then the picture gets uglier and once more shows how even relatively large companies and It decision makers still haven’t put GDPR compliance, or at the very least coming as close to GDPR compliance as possible at the top of their agenda. When it comes down to cloud services, 46% of respondents are concerned about the complexity of GDPR and only 15% cited privacy. Fortunately, security and breaches are more of a concern, with 41% of respondents. However, only 14% states that concerns about meeting GDPR and you can add a privacy to that, including their new rules for the handling, storing and processing of personal data are uppermost on their minds.

2. Looking at GDPR the right way

Hi guys. I will discuss now about some lessons from how It decision makers I have discussed with look at GDPR cloud concerns. It’s the perspective of the data subject that should matter for starters. Unfortunately, it confirms once again what has been said so often. Many seem to be looking at security, prevention of breaches and the complexity of GDPR. Yet very few are really talking the right precautions and are looking at GDPR in a more strategic and incompassing way, whereby privacy and risks with regards to personal data protection should be looked upon from the perspective of the data subject people and the risks and privacy, not just some security precautions. It is a totally wrong way to look at GDPR also in the perspective of GDPR and cloud.

The fact that only 15% highlighted privacy in relation to cloud services is a saddening proof of this. Certainly, when you look at the other mentioned data with regards to security breaches and complexity, wrong cloud GDPR concerns show GDPR misunderstanding, and that’s a fact. There is a major discrepancy between the whooping percentages of respondents who have concerns with regards to GDPR and cloud on one hand, and how these concerns are dealt with in practice, on the other hand.

Moreover, the concerns are predominantly those you typically expect from people in It who think in terms of security breaches, implementation and so forth. But it’s as clear from the first conclusion that not the concerns of people who look at risks from the perspective of the data subject and his personal data we are talking about here. Now. Why is that important, you may ask? Well, the first thing that will happen when a company is visited to check how GDPR compliant it is will be to look at what steps have been taken. Awareness is a crucial stage. Looking at risks from the data subject perspective is another one.

And having a clear plan to address those risks at all levels after a gap analysis, even if it still needs implementation, is certainly also a token. You did take needed steps. So what is the conclusion till now? From my point of view is that there isn’t a plan, let alone understanding of these crucial aspects, let alone of the scope of the GDPR. It’s not as people or companies aren’t concerned about GDPR or GDPR and cloud. They just aren’t concerned about the right things and have a far too limited and fragmented view. From what I can see now, either everybody looks rightly concerned about how the GDPR will affect the cloud. It is apparent that many are not helping themselves. Although 89% claim to be very or quite clear about how GDPR will affect their organization.

They don’t seem to be giving due weight to meeting these new privacy obligations. The obsession with security alone in GDPR preparations and they say there is little point putting a ring of steel around data you shouldn’t have. Yes, cloud is a GDPR concern on many levels. And yes, just a strategy, information management and a plan. Cybersecurity and the prevention of data breaches is of the utmost importance. But then again, not being concerned about security and data breaches regardless of GDPR Eprivacy regulation and the privacy Shield in these days, where data and security are the essence, to even conduct digital business, let alone digitally transform, is already unacceptable. As such, for us, this is once again proof that GDPR has several benefits for businesses in a digital transformation economy. The problem, however, is that it will only benefit those that really get it. I will leave you at the end of this lesson with something you should always remember GDPR compliance is a strategic group effort. Don’t blame the It decision maker.

3. Controllers and Processors

Hi, guys. In this lesson, we’ll discuss about controllers and processors. The European Union General Data Protection Regulation introduces measures to ensure security of personal data, specifying how organizations should manage data from their employees, customers, and even partners. These regulations apply to individuals living in the Economic European Area, which we call EEA. Personal Data is considered any information that can directly or indirectly identify an individual, whether it relates to their private, professional, or public life.

It can be a name, a photo, an email address, an individual’s bank details, medical information, work, performance details, and even purchases or tax numbers, education or competencies location usernames. It can be computer IP addresses, and so on and so forth. CSPs or cloud service providers will need to understand and comply with these regulations. And organizations choosing a CSP should make sure any vendors under consideration are in compliance with these regulations. Well, CSPs will need to adapt and amend their services, their contracts and background processes to address the new requirements under the GDPR. If they don’t, the consequences are costly. Lack of compliance with this regulation can reflect in fines that go up to €20 million or 4% of global turnover, whichever is higher.

The regulations apply regardless of where the personal data is kept, whether on paper or on servers in the cloud. However, the cloud possess a number of specific compliance challenges, and this is normal. It’s important to understand everyone’s role in GDPR compliance. The GDPR expands the scope of data security regulations. Previously, regulations only applied to the controller, meaning the person or organization that determines the purpose and means of processing personal data.

For example, a business would be the controller for its customer and employee data. However, the GDPR extends the compliance responsibility to the processor of the data, such as a CSP. The GDPR requires processors to develop and implement a number of internal procedures and practices to protect personal data. Most of those procedures and practices are related to information security and how these processes are managed. So those who follow international standards like ISO 27,001 or SoC Two, are the ones most prepared for the GDPR challenges.

Also, the processor must ensure that any subcontractors follow the requirements. Let’s talk about data location. The GDPR requires that controllers and processors know where the Personal Data is located for storage and processing. This restricts the ability to transfer personal data to third countries or international organizations outside the Economic European Area. CSPs may have or use servers outside the Economic European Area, but the transfer of Personal Data must comply with GDPR data transfer principles. For example, a vendor’s cloud could be supported on Amazon Web Services or AWS, which would enable customer data to be stored in Europe. Therefore, complying with GDPR data transfer is easier if organizations select a CSP with infrastructures located in multiple regions.

Businesses as the controllers must assess whether the security measures of their CSP. The processor meet the security requirements by conducting periodic audits. The same applies to a processor using a subprocessor. Each international security standard has its own security program as part of the certification process. This means that periodically, controls in place are evaluated as well as their maturity level in terms of compliance. As an example, ISO 27,001. Nxa specifies 114 security controls that are required to adopt, and any exclusions of adoptions must be justified. Rights of individuals and cloud contracts. Let’s debate about that. The GDPR extends specific rights to individuals regarding the use of their personal data. These include processes around the transfer of data and when to erase data. Even though these responsibilities are assigned to the controller, it will fall on the processors to adapt infrastructure or services to accommodate this.

For example, choices about shared or dedicated databases must be considered in accordance with the nature of the data schema. The GDPR is prescriptive about the contents of the contracts that were established between the controllers and processors or between the processors and subprocessors, and sets out many stipulations, including when to process personal data. As people become far more security conscious about their personal data, there will be more regulations like GDPR. The best approach is to stay ahead of the regulations by launching security initiatives and staying up to date with the latest security certifications. By adopting international standards in information security management, companies are much more prepared to handle new requirements that will come in most situations. It just requires a few changes to include or implement in a different way. Let’s speak about data center providers.

Well, data center providers are also an important piece in the GDPR compliance chain that can’t be overlooked. They have the ownership of the physical assets where information is stored. In that sense, they are considered processors and are required to manage at least personal data related to physical access control, like biometrics or video surveillance, or their own employees and subcontractor information well related to personal identifiable information or PII. GDPR compliance has some challenges that should be addressed by data center managers. For starters, they should create, implement and manage data retention policies compatible with customers specific needs and also with local legislation.

They should also update processes and technology to cover their rights to forget and data portability requirements. The GDPR deadline is fast approaching, and organizations are running out of time. It’s essential that everyone understands this regulation and takes responsibility for the data they come in contact with, whether they are the controllers or the processors. Organizations must take the time to assess that their CSPs are compliant with GDPR. And while CSPs may have a lot of changes to make in a short period of time, these changes will ultimately improve data security, which is vital in today’s volatile cybersecurity.

4. CSP as a processor and GDPR

Hi, guys. Many CSP processors will need to understand their obligations under the GDPR and adapt and amend their services, contracts and background processes. As we already discussed, processors can no longer hide under the current European Union data protection directive. It is data controllers, rather than processors that carry the burden of liquid compliance. Processors carrying out processing on behalf of the controller, as is the case in the majority of cloud services, arrangements are no directly subjective to the directives rule. But now the GDPR changes that by expanding the scope of application of European Union data protection law requirements, recognizing the role that processors also play in protecting personal data.

Processors are no longer outside of the ambit of the rules. Until now, many cloud deals have concluded, with the data controller failing to adequately exempt and exert controls over the data being processed by CSP processors. The latter, particularly those based overseas, have attempted to force their customers, meaning the data controllers, to wrap and warrant that they would act in compliance with all local data laws and that they have all necessary consent from data subjects to pass data to the CSP processors pursuant to the services. This scenario, although a nonsense under European Union data protection law, was often successful as the burden of non compliance falls solely to the customer as a controller.

Aside from the new obligations on data processors discussed in the last Lessons, any person who has suffered material or immaterial damage as a result of an infringement of the GDPR shall have the right to claim compensation from the controller or the processor for any damage suffered. Individuals may only claim damages from the processors where it has not complied with the obligations under GDPR specifically directed to processors or acted outside or contrary to lawful instructions of the controller. There are apportionment mechanisms where multiple parties or both controllers and processors are involved in an infringement.

All of these now means that a processor will be directly accountable to those whose day to day process CSP processors might be particularly affected as they have a deeper pocket and no direct contractual means to easily limit or control their potential exposure. In addition, every processor is also subject to the much publicized GDPR panel finding regime. Clearly, under the GDPR, it will no longer be possible for CSP processors to position themselves as mere processors and evade the reach of data protection rules. The GDPR requires data processors, including CSP processors, to develop and implement amend a number of internal procedures and practices to protect personal data. There are some exemptions for small and medium enterprises, but the burden on smaller CSP processors should not be overlooked.

• Category: Uncategorized