Businesses are increasingly using cloud services for an ever-growing range of IT and related services, often categorised as Software as a Service (SaaS), Infrastructures as a Service (IaaS), and as Platform a Service (PaaS). Key characteristics of cloud services often include internet delivery of the services, self-provisioning, elasticity (i.e. on-demand) and subscription models. Another distinction often made is between a ‘private cloud’ – where the cloud provider dedicates resources to a specific client – and a ‘public cloud’ – where the client operates in a multi-tenanted environment involving shared systems and infrastructure.‘Hybrid’ versions use a mixture of processing and data sharing between the controller and the cloud provider’s infrastructures.
The security principle
An important obligation under the General Data Protection Regulation (GDPR) is that organisations which process personal data (controllers) do so in a manner that ensures appropriate security of the data, including protection against unauthorised or unlawful processing (including theft, destruction or damage, or disclosure) using ‘appropriate technical or organisational measures’ – sometimes referred to as the ‘security principle’.
In particular, controllers must remain in control of their personal data even though its processing is performed by a cloud provider, with data security and transparency of the processing undertaken (especially the location of the data) being two of the most important elements of the services provided.
With this in mind the Irish Data Protection Commission (DPC) has issued guidance for businesses when engaging cloud service providers which will help them make sure that their cloud arrangements comply with the GDPR, particularly where they utilise or store sensitive personal data. Faced with a personal data breach, one of the first questions the DPC will ask about is the appropriateness of the technical and organisational measures in place to ensure the security of the personal data.
Cloud computing a security risk
The DPC considers that a risk to the security of personal data can arise where:
A controller must be satisfied that personal data will be secure if it is outsourced to a cloud provider. This includes ensuring that the provider has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by Article 32 GDPR. In this context, controllers looking to outsource to cloud providers must be satisfied that:
The controller’s pre-contract due diligence should include seeking assurances from the cloud provider, and as appropriate enshrining them in the contract, on key issues such as:
As well as including these items in the written contract, controllers must also seek assurance on an ongoing basis during the life of the agreement, which may entail a right to audit or a requirement for the cloud provider to provide an audit questionnaire or third party certification. The DPC also points out that an approved code of conduct (Article 40 GDPR) or approved certification mechanism (Article 42 GDPR) can be used to supplement compliance with Article 32.
Transparency is a must
A high level of transparency is required to ensure the controller understands how its cloud provider(s) can service its processing needs in a GDPR-compliant manner, i.e. the provider must be able to account for its processing operations to the satisfaction of its customers. In turn, controllers must provide transparent information to their data subjects when their personal data is processed ‘in the cloud’.
Further Article 30(2) GDPR on record keeping also applies to cloud services, as part of the accountability requirements of GDPR, requiring the processor to document and make available to a controller the basic information specified.
Appointment of sub-processors
As mentioned previously, cloud providers (as processors) must provide their controllers with information regarding any sub-processors they engage to provide their services. This means that a controller can review this arrangement under contract terms and allows the controller to object to sub-processing if needed (Article 28(2) and 28(4) GDPR).
Article 28(5) GDPR says that a cloud provider (as processor) can use approved codes of conduct or approved certification mechanisms to help demonstrate the compliance of elements of their processing. The DPC points out the importance of ensuring that the nature, scope and context of such codes or certification is clear to controllers as they need to adequately understand to what extent it applies to the processing of their personal data, and if it is appropriate to the processing operations that are being contracted.
Location, location, location
Where data is transferred outside of the EEA, special measures are required to ensure that the data is still adequately protected. More information on the range of options available is set out in the DPC’s guidance on international transfers, but in practice one of the following mechanisms must be relied upon:
Whichever of these mechanisms is used, the protections must also extend to any sub-processors engaged by the cloud provider.
Article 28(3) GDPR requires a written contract between the controller and the processor which sets out certain mandatory items. For example the processor must no appoint sub-processors without the controller’s authorisation.
A controller engaging a cloud provider as a processor must also retain control over the personal data to be processed, and there must be agreed and clear limits to that processing, the cloud provider must be clear about their obligations to the controller and any limits to responsibility and liability for infringements or breach by the cloud provider must be defined.
The contract should include the following:
A final word of advice
The DPC concludes by reminding organisations that, under the GDPR, they must report personal data breaches to the relevant supervisory authority where the breach presents a risk to the affected individuals within 72 hours of becoming aware of the breach, and that where such breach is likely to result in a high risk to the affected individuals, they must also inform those individuals without undue delay. The DPC has issued more detailed guidance on breach notifications.