With the GDPR and the wrangling that looms ahead, Sarah Williamson, partner at specialist technology and innovation law firm Boyes Turner, explores the complex new legal landscape and roles of controllers vs. processors, and offers advice on how to avoid onerous obligations and penalties.
Data centre operators and cloud service providers need to prepare urgently for major changes in data protection laws under the General Data Protection Regulation (GDPR), which comes into force on 25th May 2018.
Changes affecting processor agreements and sub-processors will be a particular issue along with the principles of data protection by design and accountability. The stage is set for enhanced due diligence of security measures and significant contractual wrangling between parties that will need to clarify where responsibilities and liabilities lie. Huge, multi-million pound fines are at stake.
The aim of the GDPR is to provide a harmonised data protection framework across the EU that addresses rapid technological advancements and the unprecedented scale of global flows of personal data in recent years.
The GDPR also strengthens the protection of personal data through the introduction of tougher obligations on data controllers, increased data subject rights and new direct obligations for data processors.
For cloud service providers and those data centre operators that process personal data and are therefore classed as ‘processors’ under GDPR, this latter change presents practical and legal challenges.
Under existing data protection laws, responsibility for data protection compliance rests on the controller. However, the GDPR also places direct obligations on processors, requiring them to:
● Maintain records of data processing activities
● Cooperate with supervisory authorities
● Notify data protection breaches to controllers without undue delay
● Implement appropriate technical and organisational measures to protect personal data eg. encryption, pseudonymisation, code of conduct and certifications
● Appoint a Data Protection Officer in some cases.
The onerous obligations even extend to requiring the processor to notify the controller if it believes the controller’s instructions infringe data protection laws.
A clear understanding of the requirements of the GDPR, and the establishment of appropriate policies and procedures will be essential to achieve compliance.
Providers based outside of the EU will be directly affected by the GDPR if they process personal data of EU residents – one reason why Brexit provides no comfort at all in this context.
Processors can no longer hide behind controllers or make controllers solely responsible for determining the sufficiency of security measures. Not only do processors have direct accountability to the supervisory authorities, but data subjects can claim compensation from processors as well as controllers – with pursuit on the party with the deepest pockets being likely.
Today, the majority of contracts involving processing of personal data contain data protection provisions to widely varying extents. Some contain basic provisions requiring service providers to comply with data protection legislation, to act only on the customer’s instructions and to have sufficient security measures in place. These basic provisions are all that is required under current laws.
The GDPR will change this position. A controller must enter into a binding written agreement with any processor it engages which sets out full details of the processing, including the type of personal data along with specific mandatory provisions set out in the GDPR, a number of which are likely to give processors an almighty headache and lead to protracted negotiations.
Mandatory processing provisions
The binding written agreement must oblige the processor to:
● Only process personal data on documented instructions from the controller;
● Ensure that personnel involved in processing are under an obligation of confidentiality;
● Implement appropriate technical and organisational measures to ensure appropriate security which includes pseudonymisation and encryption, restoration of data and regular testing;
● Obtain the controller’s prior written authorisation for the appointment of a sub-processor;
● Assist the controller in ensuring compliance with the requirements for notification of data breaches, data subject rights, the requirements for privacy impact assessments and obtaining approvals from supervisory authorities where necessary;
● Delete or return personal data on termination of the processing services; and
● Provide the controller with all information necessary to demonstrate compliance with the GDPR and allow for audits.
These requirements will also apply to existing agreements entered into before 25th May 2018, but continuing beyond this date. All will need to be reviewed and renegotiated where appropriate.
The new sub-processing landscape
Requirements relating to sub-processing raise a number of issues for cloud service providers:
● Firstly, whilst the GDPR allows a processor to obtain general consent for sub-processing from the controller, it must notify the processor if there are any changes in the sub-processor in order to enable the controller to object. What happens though if the controller does object? The processor can’t simply move its service to another provider because one customer has objected. Agreements will need to address this scenario.
● The processor must impose on the sub-processor the same data protection obligations as set out in the agreement between the processor and the controller. Where those obligations are not identical for all customers, this will necessitate tailored contracts between processors and sub-processors for each customer, which seems inconceivable particularly when the sub-processor is a large corporate.
● One of the terms which will need to be flowed down to a sub-processor is the right to audit. It is difficult to see how this is achievable in the context of cloud providers who are unlikely to allow customer audits of premises and facilities. The parties will need to consider other options that will give the processor some comfort in this event, for example penetration testing and security reports.
If a processor can’t satisfy the requirements in relation to sub-processing, ultimately this will leave the risk of non-compliance on the doorstep of the processor – who may be smaller and less able to stomach the fines than the sub-processor.
Steps to take
May 2018 is not a long way off, particularly given the potential scale and complexity of the inevitable practical and contractual considerations involved. Data centre operators, cloud providers and their customers need to act now to gear up for compliance.
An audit and gap analysis of existing agreements and templates should be carried out to identify changes that need to be made. Policies and procedures will need to be reviewed and data centre or cloud service providers need to be prepared for rigorous due diligence of their security measures.
Whilst direct obligations are placed on processors, this doesn’t exonerate or detract from the liability of controllers, whose data protection obligations are more onerous under the GDPR. A controller must ensure that any processor it engages guarantees GDPR compliance which will necessitate comprehensive checks of any data centre or cloud service provider. Substantial costs of compliance will also need to be budgeted for and factored into pricing models.
With potential fines for non-compliance of up to €20m or 4% of a company’s worldwide annual turnover (whichever is the greatest), the GDPR is not to be ignored.