Last year I wrote about the key issues cloud providers need to know about the new EU General Data Protection Regulation. This is the new EU-wide legislation that will finally harmonise data protection laws across the 28 EU member states (except for the bits where member states can enhance the minimum protection specified – wait, that sounds like an opportunity for gold-plating leading to a lack of harmonisation).
The Regulation has entered the “trilogue” stage. This is where the European Commission, European Parliament and European Council agree their differences. It appears we should expect this by December 2015 with the Regulation becoming effective in member states just over 2 years later, probably early 2018.
Here’s an update on the main ways it will affect cloud providers:
- Cloud providers will be caught directly
Cloud providers, as the “data processors” must process (personal) data only on instructions from its customer (that is, the “data controller”), keep the data secure, assist the customer in complying with obligations, maintain a record of all categories of personal data processing activities carried out on behalf of the customer, not enlist another processor without the “prior specific or general written consent” of the customer. These direct obligations on the cloud provider are clearer now.
- Mandatory breach notification
The cloud provider must notify its customer of data breaches “without undue delay”. The customer in turn must notify the ICO or other relevant supervisory authority within 72 hours (down from 24 hours). If you leak customer data and then, without a good excuse, cause the customer to notify the ICO late, you will might be in breach twice. Once for leaking the data in the first place and also for failing to notify you leaked the data.
- Massive fines against cloud providers
It looks likely that the fines for the most serious breaches will drop back down from 5% to the higher of or €1m or 2% of global turnover. Having said that, the draft Regulation now makes it clear that cloud providers can be directly liable for fines and claims by data subjects unless it can prove it was not responsible.
- Data Protection officer
This is looking like an option now rather than a requirement. Realistically, cloud providers will have to ensure someone is responsible for data security and compliance with data protection legislation even if that role is not a full time one.
4 steps every cloud provider should take:
You still have a couple of years before you need comply with the new regime but, particularly in the light of direct fines, you should be thinking about it now.
- Ensure your processes and technology will keep the data secure
- Train your staff so they know what they must and mustn’t do
- Update contracts with your customers and suppliers to show that you are ready for the new law by dealing expressly with data obligations
- Consider whether your insurance will cover you
Image courtesy of Stuart Miles / FreeDigitalPhotos.net”.