How GDPR will weigh on cloud computing providers and impose new breach notification rules – Computing

December 6, 2016 Facebook Twitter LinkedIn Google+ Uncategorized

In the first part, we looked at the new obligations and liabilities that will be introduced under GDPR, and how it will affect cloud computing by putting more responsibility (and the prospect of high fines) onto the shoulders of personal-data ‘processors’. 

It’s not just cloud that is going to be affected and required to have these terms-flowdown arrangements in place for sub-processors.

So, basically, all contracts for personal data processing will have to comply with the GDPR’s requirements by 25 May 2018. And both sides of the contract, both controllers and processors, could be subject to a lower tier fine if they have a non-compliant contract. Their contract could be compliant on the 24 May and the next day it’s non-compliant.

There is no ‘grandfathering’ of existing contracts. If you have a contract now that’s already running but it’s going to run-on beyond 25 May 2018, and you haven’t changed it to meet the requirements of GDPR, you could find that you are non-compliant and exposed to a fine from 25 May 2018.

Hopefully, cloud providers will be updating their standard contracts to make them compliant; it is difficult to know how much negotiation is possible. But one thing is definite: because of these flow down requirements it may be impossible for a cloud provider to actually comply with all of these requirements, unless it’s one of the giants – one of the Amazons, Googles or Microsofts – because they control the supply chain or they can have the bargaining power to force their subprocessors to accept these flowdown provisions if necessary.

But, you can imagine, if you’re a small SaaS provider, and you are trying to negotiate with a large cloud IaaS/PaaS sub-provider, it’s going to be hard to get them to accept these extra obligations. Some of them might decide as a commercial matter that they will, but if not it’s going to be difficult. And it may be impossible to get a third-party data centre provider to agree the GDPR-required terms, if regulators insist on the flowdown going down all the way.

So, really, I believe this is going to drive business towards the cloud giants (who control their supply chain and are therefore able to comply with the detailed new GDPR requirements), while putting SMEs in a difficult position. Is this consequence really what lawmakers intended when they put those prescriptive contract requirements into the GDPR? Did they fully consider the impact of those requirements on cloud, SMEs, innovation or competitiveness?

And, remember, all this applies also to non-cloud contracts.

But the bottom line is this: If your organisation has ANY contracts involving personal data processing that could expire after 25 May 2018, you’ve got to take stock; you’ve got to make sure you can track down those contracts so you can make them compliant, starting negotiation discussions sooner rather than later. If you’re entering into new contracts, again, you’ve got to take account of these issues; you’ve got to put in the GDPR-compliant terms now, or put in something into the contract to let you change them without penalty.

It’s probably better to put the GDPR terms in now, if you can, rather than trying to change them in 2018 when time is running out and you may be in a difficult bargaining position if, in practice, you can’t migrate away from a provider in time for 25 May 2018 should negotiations break down.

These extra GDPR requirements have got to go into the contract. That means there will be lots of lively discussion over who’s going to pay for the cost, who’s going to be responsible for what, who’s going to be liable for what and indemnities – who pays up in the event of a GDPR breach if there are fines or compensation claims.

Cloud providers could be directly liable themselves and if somebody sues them, but it was your fault, they are going to want to claim back from whoever is directly responsible – so they will want to spell out who is responsible for want, with clear liability allocation, and indemnities if they get sued or fined for infringements in situations where the cloud customer was more at fault.

And pricing, unfortunately, is probably going to go up to cover the cost of all this, as well as, for cloud providers, to account for their increased liability exposure.

Next page: Security requirements and breach notification

Further reading