Business and commercial updates: Contracts in the Cloud: are you GDPR compliant?
This article originally appeared in the IABM Journal, issue 105 which is available to view online here
Curated by IABM Finance Director Lucinda Meek
Business and commercial updates
Talking with members at various shows and events, it became clear to me that they would find it useful if IABM could provide briefings on topical, general business operational concerns alongside the wide range of broadcast and media industry- specific information we already offer members. That’s why we’ve introduced the new Business and Commercial Updates section to the Journal and in this edition, we are looking at cyber liability insurance, the potential effects of the new data protection regulations on contracts in the cloud, and an integrated approach to marketing.
I would welcome suggestions from members for future topics, and will myself continue to search out relevant, authoritative analysis and guidance on topical business issues. Things continue to change at such a pace that I am certain there will be no shortage of new subjects to examine!
Contracts in the Cloud: are you GDPR compliant?
Written by Michael Griffin Paralegal, Harrison Clark Rickerbys
From start-ups to multi-nationals and everything in-between, in the last few years we’ve all become dependent on cloud services helping us to deliver cost savings and efficiencies across our businesses.
The cloud is not just present in our work place though; cloud services permeate aspects of our lives from the way we engage with our friends to the way we buy our car insurance and how we shop for food.
What’s yours is mine – who’s processing your personal data?
In nearly all cases, cloud services to you or your customers will be provided by a third party. They will hold your data and they will process it for you. But do you really know what they are doing with it and what risks that presents to you, your customers and your business? In this article, we explore some of the key issues you need to consider when using cloud services to limit your exposure to risk, with a particular focus on the new General Data Protection Regulation (GDPR) that came into force in May 2018.
High standards – even greater fines
The GDPR fundamentally changes the way in which businesses are able to process Personal Data, setting the compliance bar significantly higher than the previous legislation.
And if you get it wrong the potential fines for a serious breach are $20 million or 4% of your global annual turnover!
So if you outsource any part of your business operation to a cloud provider who processes Personal Data (from your payroll to your hosting) you need to make sure that both you and your cloud services provider are compliant. If not, you could well be liable in the event of a breach.
To limit your risk of a cloud provider putting you in breach of the GDPR you will need to ensure you have a contract in place with them and that they have adequate (and compliant) data protection provisions and security standards in place.
The actual level of these standards will depend on the type of data being processed and the type of software or service required – the more sensitive the data they process for you the higher the standards of control need to be – but at the very least you will want to ensure some baseline expectations. This should ideally include provisions that require your cloud supplier to employ at least basic physical, administrative, and technical safeguards to protect confidential information and personal data.
There’s been a breach!
The new GDPR states that if you have a breach, you only have 72 hours to report details of the breach to the regulator. Breaches can come from all sorts of places, and whilst they mostly come from carelessness and human error, they also come from external attacks to your systems (and attacks to the people that host your systems).
So that you don’t lose time in assessing the risks caused by the breach and how you should address it, it’s crucial that they are part of your solution when things go wrong. In the event of a breach you may need to quickly call on them to help you to investigate that breach, what happened and what went wrong. If you can’t contact them at 11pm on a Friday night and have to wait until Monday morning you’ve already lost a significant amount of time. Your contract with them needs to fit into your internal breach management plan and how you are going to remedy the breach. They also have to take responsibility for their own compliance.
[bctt tweet = “To limit your risk of a cloud provider putting you in breach of the GDPR you will need to ensure you have a contract in place with them & that they have adequate data protection provisions – IABM Business & Commercial Updates”]
The damages incurred by a data breach can be catastrophic for both your business finances and its reputation. The GDPR places a much more stringent obligation on data handlers, so making sure that your technology contracts are up to date with the new law, before it comes in, should be a business-critical consideration.
Location location
Doing business in the Cloud presents a unique problem around where your data (and Personal Data) is stored. Cloud services will often use servers based outside the EEA and even where Cloud service providers (and their servers) are based in the EEA, their support services and call centres (all of whom have access to your Personal Data) are serviced remotely – often out of UK hours support – in the US, India or further afield.
[bctt tweet = “Cloud services will often use servers based outside the EEA and even where Cloud service providers are based in the EEA, their support services and call centres are serviced remotely – IABM Business & Commercial Updates”]
Under the GDPR in all of these cases the processing of Personal Data needs to comply with the GDPR and you must know where Personal Data you are responsible for is stored or processed.
There are many solutions provided by large cloud services providers which guarantee that processing will only be within the EEA. Does your cloud provider offer this? Even if it does, is its support team, in and out of hours, based inside the EEA? Does your cloud provider outsource its customer support? If it does, does the business they outsource to (who could be processing Personal Data for you) have a contract in place which ensures that it complies with the GDPR?
T&C’s: not as easy as 123
Chances are that if you are signed up to any cloud services, you are likely to have done this on the basis of their standard terms and conditions.
You will need to revisit these terms in light of the GDPR as they are highly unlikely to meet the much more stringent GDPR requirements.
The GDPR requires you as a data controller to ensure that you have a ‘data processing agreement’ in place with your cloud provider to ensure its compliance – easier said than done! This agreement needs to impose a number of new obligations on your cloud provider to make sure it complies with the GDPR and will work with you if anything goes wrong.
Whilst cloud providers are increasingly becoming savvy to the benefit of amending their standard terms to reflect a need from their customers for GDPR compliance, the pick up is slow. In practice you will find it difficult to negotiate specific terms with your cloud provider, so you will need to think carefully about who you pick as a service provider to make sure you remain GDPR complaint.
Termination + transition services
The technology behind Cloud services is still advancing at breakneck speed but the market is starting to mature. As a result, it is highly likely that at some point in time you or your service provider will move to a new Cloud supplier. When this happens, you will want the move to be as seamless as possible and not lead to any interruption or downtime for you or your customers.
To make sure you can be nimble when you need to move and ensure a smooth transition, you should make sure that any Cloud contract you agree to allows you to move service providers easily (along with all of your data).
During any transition at the very least you will want to make sure your current Cloud provider provides continuous services and transition support until your migration is completed. And again, in all of this you will want to make sure that your service provider complies with their obligations under the GDPR.
