Insights overview

Keep your cloud provider in check! GDPR, EBA and NIS compliance

An organisation relying on cloud services has to: carry out due diligence on the cloud provider’s security measures; and put in place a data processing… Read more

more content below

An organisation relying on cloud services has to:

carry out due diligence on the cloud provider’s security measures; and
put in place a data processing agreement which is compliant with the General Data Protection Regulation (GDPR).

The Irish Data Protection Commission’s recent Guidance for Organisations Engaging Cloud Service Providers serves as a timely reminder of these GDPR outsourcing requirements.[1]

Whilst most obligations under the GDPR are on the customer organisation as controller, the cloud provider will also have a number of direct obligations under the GDPR as processor. Gauging your cloud provider’s awareness of these obligations will give you a good sense of its overall level of compliance and suitability.

Applicability of the GDPR

Of course, the GDPR may not necessarily apply to parties outside the European Economic Area (EEA). However, if either the customer organisation or cloud provider sits within the EEA (the “establishment test”) or offers goods or services or monitors the behaviour of individuals in the EEA (the “extra-territorial test”), it may bring the other party within scope of the GDPR, as follows:

A customer organisation meeting the establishment or extra-territorial test will only be able to engage a cloud provider that allows it to comply with the GDPR outsourcing requirements even if the cloud provider is itself not subject to the GDPR; and
A cloud provider meeting the establishment or extra-territorial test will be subject to certain direct obligations under the GDPR even if the customer organisation is itself not subject to the GDPR.
According to guidance, such cloud provider may not be used for processing that would entail “inadmissible ethical issues” or breach public order under European or national rules,[2] and the customer organisation will have to take account of that.
In addition, given the rise of GDPR-related class action across Europe, the question arises if the non-EEA customer organisation could be pulled into such claims where compensation is sought against its EEA-based cloud provider.

What are the cloud provider’s direct obligations under the GDPR?

The cloud provider’s GDPR obligations include:

The typical data processing obligations imposed under Article 28 of GDPR which are usually covered in a data processing agreement.
Use of data is limited to the customer’s instructions.
Immediately inform the customer if, in the cloud provider’s opinion, an instruction of the customer infringes the law.
Keep a record of processing carried out on behalf of the customer.
Cooperate with the supervisory authority on request.
Implement technical and organisational measures to ensure a level of security appropriate to the risk.
Notify the customer without undue delay after becoming aware of a personal data breach.
Designate a data protection officer where applicable.
Appoint a representative where applicable.
Comply with the provisions on transfers of personal data to third countries.

What are the obligations of a customer using a cloud provider?

Instructions

The customer must satisfy itself that the cloud provider will not use personal data beyond the customer’s instructions.

Apart from covering this in the contract, another way of ensuring this is asking the cloud provider to produce a record of processing activities. The record is mandatory under the GDPR and if prepared correctly, it should give the customer a detailed explanation of what personal data will be processed by the cloud provider and for what purposes. Clarifying this will help the customer assess if the cloud provider ordinarily acts within instructions and which personal data, if any, is used for the cloud provider’s internal purposes.

Of course, it will not be a good sign if your cloud provider fails to keep a record of processing altogether.

Security

Sufficient security standards are key. The Guidance recommends that the customer should adopt detailed audit questionnaires. If the cloud provider counters by providing its own security documents the customer should not hesitate to enquire about any gaps in security or lack of transparency.

Detailed contractual security provisions will be required, and, according to the Guidance, the security measures should include:

Pseudonymisation & encryption;
data segregation
CIA principle and resilience measures;
backups;
regular testing;
incident response procedure; and
deletion of data after use.

We would of course recommend including provisions about physical security, hardware and software related measures, network security, access controls, acceptable use and staff training, subcontracting, backup, governance, audits and record keeping.

In other words, without a high level of transparency the customer will be unable to comply with the GDPR. If in doubt, the guidelines encourage on-site inspections.

More detail about cloud provider security can be found in publications of the European Network and Information Security Agency (ENISA). Your cloud provider’s familiarity with these documents may be instructive.

Sub-processors

The cloud provider must be transparent about sub-processing and allow the customer to object to the appointment of third parties, if appropriate. Importantly, the Guidance stresses that any standard contractual clauses for international transfers of personal data must be extended to any sub-processors.

Codes of conduct

Approved codes of conduct of the cloud provider are welcomed, but just like with any other materials provided by the cloud provider, the customer must understand the limitations of these documents and not fail to make further enquiries if appropriate.

Liability

Liability for any GDPR infringement or personal data breach must be apportioned and any limitation of liability must be clearly defined.

Cloud providers serving financial firms

Sector specific regulations may require the customer to impose certain standards on its cloud provider.

For example, financial and credit institutions, designated investment firms, payment institutions and electronic money institutions have to comply with the EBA’s Guidelines on outsourcing arrangements.[3]

The guidelines apply to any ‘critical and important outsourcing’ which will inevitably include certain types of cloud outsourcing. The focus is on governance and security.

Apart from having an outsourcing policy and keeping a register of outsourcing arrangements, which are reviewable by the regulator, the customer must include in the contract with its cloud provider:

audit rights;
clear rights of termination;
exit provisions;
rights to monitor supplier performance;
controls over sub-contracting of services; and
provisions regarding availability, privacy and integrity of data.

This article provides further information. The governance requirement is also emphasised by the FCA fine on Raphaels Bank earlier this year.

What if the customer fails to be diligent?

A recent GDPR fine in Poland has highlighted the need to take your processor due diligence seriously. A fine of around £8,000 was imposed on a mayor of a city for failing to enter into data processing agreements with two companies hosting data and creating and servicing software for the city hall’s public information bulletin. This is a relatively small warning shot in the context of the upper threshold being the greater of €20 million or 4% of worldwide group turnover.

In addition, with the rise of GDPR-related class action across Europe, a party relying on cloud services could face a claim for compensation for material or non-material damage caused by its failure to select a suitable cloud provider.

Are cloud providers under scrutiny too?

The compliance burden is mainly on the customer organisation. However, the European Data Protection Supervisor and European regulators have been looking at cloud providers too, particularly in the context of data processing terms which are too favourable to the cloud provider. As the investigation is ongoing, customer organisations will be encouraged to push for more compliance in the cloud providers’ data processing terms, which are often presented as non-negotiable.

The German authorities have highlighted concerns in relation to Office 365 about the storing of information about children, issues around transparency, the lawful basis of processing and transfers of data to the US. Following the Dutch government’s recent involvement, Microsoft has updated its privacy notice. The company increased transparency regarding its processing of data for administrative and operational purposes, such as account management, financial reporting, combatting cyberattacks on Microsoft products or services and complying with legal obligations. Of course, any collection of information from user machines is subject to the consent requirements under the Privacy in Electronic Communications Regulations. However, consent may not be valid if the personal data relates to minors, for example, where the Office suite is used in schools.

Under the Network and Information Systems Regulations 2018, a cloud provider which meets certain criteria as a digital service provider must take appropriate and proportionate technical and organisational measures to manage the risks to its systems. These measures will cover security of systems, monitoring, auditing and testing of performance, incident handling, business continuity, and compliance with international standards. The Information Commissioner’s Office has powers of inspection and can issue penalties of up to £17 million for the most serious breaches.

It will not come as a surprise that in its recent report into IT Failures in the UK Financial Services Sector, the UK’s Treasury Committee recommended that cloud service providers servicing the financial services sector should be subject to further regulation.

[1] Guidance for Organisations Engaging Cloud Service Providers. Data Protection Commission. October 2019. Link.

[2] Guidelines 3/2018 on the territorial scope of the GDPR (Article 3). Version 2. EDPB, 12 November 2019. Page 13. Link.

[3] EBA Guidelines on outsourcing arrangements. European Banking Authority. 25 February 2019. Link.