Cloud computing is an integral part of most businesses globally. Technology has transformed the way businesses operate and thrive in the industry. However, the cloud industry has been facing huge challenges when it comes to complying with various data protection and data privacy standards. With the enforcement of the General Data Protection Regulation (GDPR), a lot has changed for most businesses. The enforcement of GDPR has had significant implications on cloud service providers and their businesses including their implementation of operations and security control mechanisms.
Cloud service providers are now required to understand their obligations towards data protection and privacy to accordingly adapt and amend their services, contracts and processes. With the enforcement of stringent rules under GDPR, it is clear that cloud service providers are acting in the capacity of controllers and processors and cannot avoid their responsibility towards data protection. This idea is worthy of deeper elaboration.
How does GDPR Impact the Cloud Industry?
Nearly five years after the enactment of the regulation, businesses are still struggling to be compliant as per the GDPR regulatory standards. Additionally, for businesses rapidly adopting cloud services, it has become mandatory for both businesses and cloud service providers to adjust their business models. They are required to make significant changes to their business operations in accordance with the regulations. Under Chapter 4 Article 24-43, GDPR clearly mandates rules for Data Controllers and Processors to follow. The regulation highlights the responsibilities, requirements and rules that need to be implemented when dealing with personal data. In order to better understand the implications of GDPR on Data Controllers and Processors as applied to cloud service providers, let us take a closer look at the requirements that are outlined in that section.
GDPR Requirements for Cloud Service Providers
A cloud service provider is considered “in-scope” if they store or process data of citizens of the European Union (EU) on behalf of the Data Controller. Based on the means and purpose of processing data, a Data Controller and its cloud service provider become Joint Data Controllers, which calls for additional significant duties and responsibilities for the Data Processor. However, the cloud service provider needs to clarify its role based on the rules set by GDPR to implement necessary controls and requirements for compliance.
Determining the role is critical. It makes it easy to identify the applicable GDPR requirements. So, determining the roles and responsibilities forms the first step towards developing an appropriate data protection policy. Cloud service providers are expected to take proactive measures for developing a data protection strategy for implementation and management of the necessary GDPR requirements.
General Requirements
Paraphrasing the language of the regulation, below is a checklist of requirements that would apply to cloud service providers.
- Develop principles over the processing activities of personal data.
- Establish the process for data processing and enforcing data subject rights including the right to obtain information, the right to access their information, the right to withdraw their consent, the right to modify their information as well as the right to object to the processing activities by the cloud service provider.
- Set requirements for privacy by design for those engaged in data processing and controlling activities.
- Develop and establish controls over data ownership and data portability rights.
- Implement security measures that ensure the privacy of data.
- Establish principles regarding the processing of personal data to international parties and third countries.
- Develop policies and procedures regarding the management of breaches and incidents.
- Develop policies regarding the establishment of contractual agreements, data retention periods and other applicable requirements.
The chart below gives a summary of requirements that are applicable to cloud service providers towards securing data and ensuring compliance. (Again, these are paraphrased to remove some of the dryness of the regulatory language.)
| Security Control Requirements | Contractual Requirements | Documentation Requirements | |
| Data Controllers | Data Processors | ||
| Cloud Service Providers are required to provide sufficient guarantees that the appropriate technical and organizational measures are in place to ensure compliance with GDPR. Both controller and the processor must implement appropriate measures to ensure a level of security appropriate to risk which may include- | There are certain obligations for Cloud Service Providers that are stated in the commercial service contract. GDPR requires mandatory contract provisions to include- | Each controller where applicable should maintain a record of processing activities and a record containing the following information- | Each processor where applicable shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing the following information- |
| 1.Pseudonymisation and encryption of Personal Data | 1. The Cloud Service Provider or any sub-processors can only process the data as instructed by the data controller. | 1. Name and contact details of the controller and, where applicable, the joint controller, the controller’s representative, and the data protection officer | 1. Name and contact details of the processor or processors and Data Protection Officer; |
| 2. Ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services | 2. An assurance by the Cloud Service Providers on security measures and how requirements under Article 32 GDPR will be met. | 2. Purposes of the processing | 2. Categories of processing activities performed |
| 3. Restore the availability and access to Personal Data promptly in the event of a physical or technical incident | 3. Enumeration of the sub-processors that are engaged by the processor and details on how updates to these are treated with the controller | 3. Description of the categories of Data Subjects and the categories of Personal Data | 3. Transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and documentation of suitable safeguards as stated under article 49(1) |
| 4. Establish a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing | 4. Information necessary to demonstrate the cloud provider’s compliance with Article 28 GDPR and how the processor will allow or contribute to the data controller’s audits or inspections. | 4. Categories of recipients to whom the Personal Data has been or will be disclosed including recipients in third countries or international organizations. | 4. General description of the technical and organizational security measures referred to in Article 32(1) |
| 5. Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraph 1 of this Article | 5. The measures that are provided to guarantee the security of Personal Data that is processed outside of the European Economic Area | 5. Transfers of Personal Data to a third country or an international organization, including the identification of that third country or international organization and documentation of suitable safeguards as stated under article 49(1). | |
| 6. The Data Controller and Data Processor must ensure that any person acting under their authority of who has access to personal data should not process them except on instructions from the controller unless he or she is required to do so by Union or Member State law. | 6. The liability apportioned between the controller and processor in the event of a GDPR infringement or personal data breach, and how such events should be notified to the controller. | 6. Where possible envisaged time limits for erasure of the different categories of data. | |
| 7. How the processor is meeting their obligations to support data subject rights. | 7. Where possible, a general description of the technical and organizational security measures referred to in Article 32(1). | ||
| 8. The subject matter, scope, nature, context, purpose, and duration of the processing and how types and categories of personal data are dealt with at commencement, transfer, routine processing, and ‘end-of-life’ – including return or deletion |
GDPR Code of Conduct for Cloud Service providers
GDPR calls for cloud service providers and processors to demonstrate compliance with the GDPR requirements by adopting approved codes of conduct or participate in certification or seal programs that are approved by Supervisory Authorities. This helps in demonstrating compliance with the regulation, providing guarantees and assurances of cross-border transfer safeguards. GDPR Article 40 encourages the development of codes of conduct that contribute to the proper application of the GDPR Regulation. The regulation clearly specifies the inclusion of certain aspects regarding the application of GDPR requirements in the drafted code of conduct. This should include the following:
- Fair and transparent processing;
- Legitimate interests pursued by controllers in specific contexts;
- Collection of personal data;
- Pseudonymisation of personal data;
- Information provided to the public and to data subjects;
- Exercise of the rights of data subjects;
- Information provided to and the protection of children along with the manner in which the consent of the holders of parental responsibility for children is to be obtained;
- Measures and procedures referred to in Articles 24 and 25 and the measures to ensure the security of processing referred to in Article 32;
- Notification of personal data breaches to supervisory authorities and the communication of such personal data breaches to data subjects;
- Transfer of personal data to third countries or international organizations; and
- Out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects concerning processing, all while retaining all the privileges afforded to the rights of data subjects under Articles 77 and 79.
Conclusion
With the enforcement of the regulation, it is clear that no business can avoid the responsibility of safe data processing. Irrespective of it being outsourced to a third party or done in house, every entity that's involved directly or indirectly in data processing or that has access to personal data of a citizen of the EU will have to abide by the regulation. Negligence or ignorance of these rules can cost businesses, especially the Data Controllers and Data Processors, a huge penalty. Cloud Service Providers need to understand their respective roles and obligations under the GDPR and remember that compliance and the associated risks of non-compliance are a matter of concern that needs to be prioritized.
About the Author: Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore and India. Mr. Sahoo has more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment and Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance as well as Audit, PCI PIN, SOC2, PDPA and PDPB. Since 2004, the company has worked with organizations across the globe to address the regulatory and information security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
