New guidance aimed at Irish organisations when contracting with cloud service providers

Our team: Tim Wright, Joshua Bennett

Businesses are increasingly using cloud services for an ever-growing range of IT and related services, often categorised as Software as a Service (SaaS), Infrastructures as a Service (IaaS), and as Platform a Service (PaaS). Key characteristics of cloud services often include internet delivery of the services, self-provisioning, elasticity (i.e. on-demand) and subscription models. Another distinction often made is between a ‘private cloud’ – where the cloud provider dedicates resources to a specific client – and a ‘public cloud’ – where the client operates in a multi-tenanted environment involving shared systems and infrastructure.‘Hybrid’ versions use a mixture of processing and data sharing between the controller and the cloud provider’s infrastructures. 

The security principle

An important obligation under the General Data Protection Regulation (GDPR) is that organisations which process personal data (controllers) do so in a manner that ensures appropriate security of the data, including protection against unauthorised or unlawful processing (including theft, destruction or damage, or disclosure) using ‘appropriate technical or organisational measures’ – sometimes referred to as the ‘security principle’.

In particular, controllers must remain in control of their personal data even though its processing is performed by a cloud provider, with data security and transparency of the processing undertaken (especially the location of the data) being two of the most important elements of the services provided.

With this in mind the Irish Data Protection Commission (DPC) has issued guidance[1] for businesses when engaging cloud service providers which will help them make sure that their cloud arrangements comply with the GDPR, particularly where they utilise or store sensitive personal data. Faced with a personal data breach, one of the first questions the DPC will ask about is the appropriateness of the technical and organisational measures in place to ensure the security of the personal data.

Cloud computing a security risk

The DPC considers that a risk to the security of personal data can arise where:

  • a controller hands control over data to a cloud service provider,
  • where insufficient information is available regarding the cloud processing services and related safeguards, or
  • where the cloud provider cannot adequately support the data controller’s obligations or data subjects’ rights.

Security considerations

A controller must be satisfied that personal data will be secure if it is outsourced to a cloud provider. This includes ensuring that the provider has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by Article 32 GDPR. In this context, controllers looking to outsource to cloud providers must be satisfied that:

  • the cloud provider will only process the data in accordance with the controller’s instructions, hence the need for a contract between controller and cloud provider, and
  • the provider has taken into account the risks presented from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

The controller’s pre-contract due diligence should include seeking assurances from the cloud provider, and as appropriate enshrining them in the contract, on key issues such as:

  • if required, carrying out pseudonymisation and encryption of the personal data,
  • separating personal data provided by the controller from other customers’ data,
  • ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services. This encompasses the organisational and technical means, from staff confidentiality requirements to meeting the security requirements of Article 32 GDPR,
  • restoring availability and access to personal data in a timely manner following an incident,
  • regularly testing, assessing and evaluating the effectiveness of technical and organisational measures from a security perspective,
  • putting in place an incident response plan which can be implemented in place in the event of a data breach, backed up by contractual provisions dealing with breach notification so that data subjects are not unnecessarily put at risk, and
  • having the means to delete or return all personal data to the controller when the contract terminates.

As well as including these items in the written contract, controllers must also seek assurance on an ongoing basis during the life of the agreement, which may entail a right to audit or a requirement for the cloud provider to provide an audit questionnaire or third party certification. The DPC also points out that an approved code of conduct (Article 40 GDPR) or approved certification mechanism (Article 42 GDPR) can be used to supplement compliance with Article 32.

Transparency is a must

A high level of transparency is required to ensure the controller understands how its cloud provider(s) can service its processing needs in a GDPR-compliant manner, i.e. the provider must be able to account for its processing operations to the satisfaction of its customers. In turn, controllers must provide transparent information to their data subjects when their personal data is processed ‘in the cloud’.

Further Article 30(2) GDPR on record keeping also applies to cloud services, as part of the accountability requirements of GDPR, requiring the processor to document and make available to a controller the basic information specified.

Appointment of sub-processors

As mentioned previously, cloud providers (as processors) must provide their controllers with information regarding any sub-processors they engage to provide their services. This means that a controller can review this arrangement under contract terms and allows the controller to object to sub-processing if needed (Article 28(2) and 28(4) GDPR).

Article 28(5) GDPR says that a cloud provider (as processor) can use approved codes of conduct or approved certification mechanisms to help demonstrate the compliance of elements of their processing. The DPC points out the importance of ensuring that the nature, scope and context of such codes or certification is clear to controllers as they need to adequately understand to what extent it applies to the processing of their personal data, and if it is appropriate to the processing operations that are being contracted.

Location, location, location

Where data is transferred outside of the EEA, special measures are required to ensure that the data is still adequately protected. More information on the range of options available is set out in the DPC’s guidance on international transfers[2], but in practice one of the following mechanisms must be relied upon:

  • the data transfer is subject to appropriate safeguards (see Article 46 GDPR) such as the EU approved model contracts; or
  • the data transfer is subject to binding corporate rules (per Article 47 GDPR).

Whichever of these mechanisms is used, the protections must also extend to any sub-processors engaged by the cloud provider.

Contractual requirements

Article 28(3) GDPR requires a written contract between the controller and the processor which sets out certain mandatory items. For example the processor must no appoint sub-processors without the controller’s authorisation.

A controller engaging a cloud provider as a processor must also retain control over the personal data to be processed, and there must be agreed and clear limits to that processing, the cloud provider must be clear about their obligations to the controller and any limits to responsibility and liability for infringements or breach by the cloud provider must be defined.

The contract should include the following:

  • the cloud provider (and any sub-processors) must only process the data as instructed by the controller,
  • detailed assurance as to the cloud provider’s security measures and how requirements under Article 32 GDPR will be met,
  • a list of any sub-processors engaged by the cloud provider and details on how updates to list will be managed with the controller
  • the information necessary to demonstrate compliance by the cloud provider with Article 28 GDPR and how it will allow or contribute to the data controller’s audits or inspections,
  • appropriate measures guaranteeing the security of any personal data processed outside the EEA,
  • an apportionment of liability between the controller and the cloud provider in the event of a GDPR infringement or personal data breach, and how such events are notified to the controller,
  • how the cloud provider is meeting its obligations to support data subjects’ rights, and
  • the subject-matter, scope, nature, context, purpose and duration of the processing and how types and categories of personal data are dealt with at commencement, transfer, routine processing and ‘end-of-life’, including return or deletion.

Controller’s can also consult the DPC’s practical guide to drafting data processor contracts[3] as well as guidelines published by the European Data Protection Supervisor[4].

A final word of advice

The DPC concludes by reminding organisations that, under the GDPR, they must report personal data breaches to the relevant supervisory authority where the breach presents a risk to the affected individuals within 72 hours of becoming aware of the breach, and that where such breach is likely to result in a high risk to the affected individuals, they must also inform those individuals without undue delay. The DPC has issued more detailed guidance on breach notifications[5].






View by date:

View by author:

Would you like to hear more?