Digital transformation is one of the big tech buzzwords of 2018. It has many facets, but one stands out as a key trend across industries: the rise of the cloud. IT professionals are increasingly privacy-conscious, particularly following the introduction of the GDPR earlier this year, but the cloud presents unique and complex privacy issues and it can be difficult to know where to start.
It's worth remembering that the GDPR applies only to "personal data", meaning information from which it would be possible to identify a living individual (such as name, email address, IP address, or device information). However, certain considerations (for example, security) remain relevant even where the data concerned is not personal data.
Here are my top five privacy issues to consider when moving to a cloud-based model.
1. Do you have the right terms in place with the cloud provider?
Customers engaging cloud providers will normally be "data controllers" of any personal data that they share with the provider (meaning they decide how and why that data is processed). The provider is considered a "data processor" acting on the customer's behalf. To comply with their GDPR obligations, both parties must ensure that the cloud contract includes certain provisions mandated for agreements between controllers and processors. Many cloud service providers will address these in their standard terms, but customers should always ensure that the correct terms have been included and consider whether to negotiate on certain points (e.g. breach notification time frames).
Liability for privacy or security breaches is another important issue. The parties should consider whether liability should be capped or uncapped and whether indemnities are appropriate (and if a cap is agreed, what the amount of the cap should be).
2. Will personal data be transferred outside the EEA?
The GDPR restricts the transfer of data outside the EEA. "Transfer" in this context includes cases where data is stored in or accessed from locations outside the EEA - for example, a cloud storage solution where data is hosted on servers in the USA or India would be caught by this definition. If data is transferred outside the EEA, additional documentation may be needed to ensure that the transfer is lawful.
3. Do you have the right security measures?
The GDPR requires personal data to be kept secure and requires organisations to use certain security measures, such as encryption and pseudonymisation, where appropriate. Customers must also ensure that any third parties processing data on their behalf can provide sufficient guarantees for the security of that data. Customers should therefore satisfy themselves that the security measures used by the cloud provider are appropriate, taking into account the volume and sensitivity of the data. If there would be a high risk to individuals if the data were compromised (for example, if that data includes health records or credit card information), this will generally warrant a higher level of security.
Of course, security considerations also apply to data stored in the cloud more broadly even where the data is not personal data - customers will often, for example, want to encrypt information before placing it in the cloud.
Note, it will be the role of the company's security professionals, rather than lawyers or business stakeholders, to evaluate the adequacy of security for personal data.
4. How will you deal with data breaches?
Despite an organisation's best attempts to keep information secure, data breaches still happen. Under the GDPR, a data controller (here, the customer) is normally required to report a data breach to regulators within 72 hours (elapsed hours, not business hours) of becoming aware of it (unless the breach is unlikely to result in a risk to individuals). This reporting obligation still applies where the customer's data is compromised due to a breach in a cloud provider's environment. Customers will therefore want to ensure that the cloud contract includes appropriate reporting obligations to ensure the 72-hour deadline can be met. Both parties should also have an effective breach response procedure in place to ensure any incidents identified are dealt with quickly.
5. How will individuals exercise their rights?
The individual (or "data subject") sits at the heart of modern privacy law. Data subjects have a strong set of rights, including rights to access their data, have it deleted, corrected, or in certain circumstances ported to another IT environment (known as "data portability"). Organisations moving data into the cloud should therefore ensure appropriate mechanisms exist for dealing with the data subjects' rights.
To read more from techUK's Cloud Week, visit our landing page