Out-Law News | 15 Nov 2019 | 11:22 am | 3 min. read
The guidance, issued by Ireland's Data Protection Commission (DPC), confirms that in many cases cloud providers will be 'data processors' under the EU's General Data Protection Regulation (GDPR).
The organisations engaging cloud providers in this context are 'data controllers' and are obliged to ensure they have a written contract with the cloud provider to comply with the GDPR. Article 28 of the GDPR stipulates the minimum provisions those contracts should contain.
The DPC acknowledged that there are circumstances in which cloud providers may themselves be 'data controllers' or 'joint controllers' of the personal data they process, but its guidance if primarily framed in the context of cloud providers acting as processors.
The DPC in its guidance provided a checklist of what a cloud service contract should contain. The contract should, among other things, include "the liability apportioned between the controller and processor in the event of a GDPR infringement or personal data breach, and how such events are notified to the controller", the DPC said.
Nicola Barden of Pinsent Masons, the law firm behind Out-Law, said: "The inclusion of provisions on the apportioning of liability is not a requirement under Article 28 of the GDPR but is rather a commercial term that is usually included in data processing agreements which any prudent controller would have in their cloud service provider agreement in relation to data protection liability."
Barden said the guidance issued by the DPC places a heavy emphasis on security risks and the requirements around data security contained in the GDPR. It follows a report the DPC issued last year which provided guidance on how businesses can take advantage of cloud solutions securely.
In its latest guidance, the regulator flagged that risks to the security of personal data can arise "where a data controller relinquishes control over the data to a cloud service provider, where there is insufficient information available regarding the cloud processing services and their safeguards, or where the cloud provider cannot adequately support the data controller’s obligations or data subjects’ rights".
In a broader context, the DPC said "one of the first questions" it will ask organisations who have experienced a personal data breach or which are subject to its investigations is whether the security measures in place to ensure the security of personal data is "appropriate".
Barden said: "Controllers should be aware that the DPC will not just look at the policies and notices that they have put together to meet their data protection obligations – it will look behind these to the security measures controllers have in place to protect personal data, and we can safely assume that this will include looking at how controllers have satisfied themselves about the appropriateness of the security measures implemented by the third parties they use to process personal data, including cloud providers."
According to the DPC, organisations exploring whether to contract with cloud providers over personal data processing should first satisfy themselves that the provider's "security standards are sufficient and appropriate for the processing of personal data they will undertake on the controller’s behalf". The regulator listed a number of assurances that cloud providers should be able to offer in this regard.
Those assurances relate to matters such as data encryption, segregation of data, data confidentiality, systems integrity and resilience, access to data – including following the termination of the contract and procedures in the event of a data breach, the guidance said.
The DPC explained how organisations engaging cloud providers can assure themselves on those issues in practice.
"This would typically be achieved by way of a detailed technical analysis incorporating an information security audit questionnaire of the cloud provider and/or any approved code of conduct or certification mechanism provided by the cloud provider as assurance," the DPC said. "In some cases it may also necessitate on-site inspection of premises, the way the organisation has implemented their security policy, or audit of particular personal data processing operations or technology usage."
Article 28 of the GDPR requires, among other things, that data controllers insert contractual rights of audit, including inspections, into their data processor agreements. Barden said that businesses sometimes get pushback on these audit requirements due to the fact that cloud providers usually operate multi-client environments.
The DPC has offered some guidance on how this issue can be resolved, which Barden said "will assist controllers and processors to reach an agreed position without falling short of the legal requirements".
The DPC said: "An audit questionnaire may be sufficient in some cases to meet cloud providers obligations [in relation to contractual provisions on audit rights under Article 28 of the] GDPR, allowing controllers to perform audits of their operations. A key part of this audit will focus on the security arrangements."
"Note that, as cloud providers will typically provide services to multiple data controllers and have security and confidentiality obligations with each, the extent and detail of what is made available in that audit may be restricted," it said.
14 Dec 2018
12 Dec 2018