Cloud services have become an increasingly cost-effective way to store and process large amounts of data, especially for smaller companies who cannot afford dedicated IT systems and staff on payroll. Up to a quarter of total IT budgets in small and medium sized companies is spent on cloud services, rivalling the expenditure on other software and hardware.
However, the GDPR will significantly affect the way cloud processors are viewed in the eyes of the law. They will have to be more involved and assume more responsibilities. Let’s explore what it all means for you.
More Responsibilities in the Cloud
The current legislative environment lets cloud providers off scot-free if something happens. Data controllers (meaning your company, whose data is being processed by the cloud provider) are usually the ones to blame. Often, cloud service providers are even considered ‘mere conduits’, in that they do not process the data and do not have the obligation to monitor or oversee it.
The GDPR introduces fines even for data processors if they fail to follow the obligations set forth by the data controller, and especially if they process the data in a wrongful manner without any knowledge from the data controller.
Of course, these restrictions apply only to personal data. If non-personal data is processed, the GDPR does not apply at all. We have more resources to help you determine whether you are processing personal data.
Cloud processors are now required to keep logs of their processing and have a basic interest in the data they are managing, especially if the cloud provider is contractually responsible for data security as well.
The most important thing to update will be the contracts between data controllers and cloud processors. It’s essential since most contracts do not satisfy the minimal requirements prescribed in the GDPR. Supervisory authorities and other concerned bodies have promised to come out with model contracts that satisfy the basic requirements.
As a cloud service provider, you will have certainly come to a conclusion that it will be impossible to avoid compyling with the GDPR one way or another. Even if you are based outside the EU, you are still obligated to comply if you process EU-sourced data. Unless, of course, closing up shop for EU customers is an option. Our wild guess: it isn’t.
The issue is complicated by the fact that most companies are not even aware how many cloud computing tools they use. They consistently underestimate the number by about 90 percent – the average European business uses 608 cloud apps. This is something companies have to work on in order to retain control of their data.
Cloud providers aren’t yet equipped to help them, as surveys show only 1% of cloud service providers fully comply with the GDPR rules.
The GDPR requires controllers and processors to always know where their data is stored, and whether there are any copies. This limits the flexibility of cloud service providers with regards to back-ups and distributed storage.
Some regulatory bodies, such as the German ULD, maintain that non-EU datacentres processing EU data could be inherently illegal under German law. The majority does not share that opinion, though.
Also, the best practice is to have the data stored in the EU. Transfers to other countries are generally not allowed unless they are deemed safe enough by means of adequacy decisions by the European Commission. If such transfers take place, end-users must be notified of them.
The Key Points
The price of cloud services will almost certainly increase due to additional administrative overhead, at least in the initial break-in period. However, better data safety practices could reduce the number and thus the cost of breaches, resulting in an overall break-even calculation. It’s just that the costs will be spread among all the users instead of being borne only by the affected companies.
Responsibility will be shared among cloud providers and data controller companies. Model contracts will better manage these relationships. Be very vigilant about new contracts, as cloud services will inevitably try reduce their liability and shift as much responsibility as they can back on to your company.
End-users will likely be shielded from these under-the-hood changes, but if everything goes right, their data will be much safer once the GDPR enters into force.