(G)D(PR)-day approaching: how the EU’s new data protection law is going to impact the Cloud and how DECIDE is dealing with this.

With 25 May fast approaching, the General Data Protection Regulation (GDPR, regulation 2016/679), the EU’s new legislation on the protection of personal data of individuals will soon become broadly applicable throughout the EU.

The GDPR contains very broad principles and guidelines on how personal data should be dealt with, which apply to nearly any company (cloud service providers and customers included), while practical guidance has been limited.

Many companies have therefore been struggling to get themselves into compliance with the GDPR, first and foremost because not all of the GDPR’s obligations are clearly delineated and discussion exists about how certain principles must be implemented. In practice it has been observed that many different approaches exist e.g. in terms of granularity for record-keeping, in determining the threshold for appointing a Data Protection Officer or to carry out a Data Protection Impact Assessment, or in determining appropriate organizational and operational measures to ensure a certain processing activity remains in compliance with the GDPR’s principles.

It will likely be a while before all of the GDPR’s principles have been translated into best practice, certainly when aiming for EU-wide best practice. This is because the GDPR will be applied by different national data protection authorities and additionally, the GDPR leaves some room for national “colouring” of some of its provisions. All of this leads to some extent of uncertainty on how the legislation should be applied in practice by each organization.

As such, the GDPR poses a challenge to all actors in DECIDE separately, i.e. both cloud service providers and cloud customers have to conduct their own GDPR compliance exercise. This is and remains a challenging task, since the GDPR’s principles and requirements bear great relevance in the Cloud and both cloud service providers as well as cloud customers need to assess their status quo in terms of security, data management, confidential, policies and contracts, in order to ensure that information they deal with is being used in compliance with the new regulation.

However, the real challenge in DECIDE, as has been touched upon in previous posts is not to guide all involved actors through their own GDPR compliance process (which is absolutely out of scope of the project), but rather for DECIDE to play a facilitating role in helping match the customer with the right cloud service provider(s) for the (micro)services the customer’s application requires, while fully taking the GDPR into account.

This is mainly relevant because in GDPR terms, a cloud service provider acts as a processor for the cloud customer (usually the application developer, see previous posts for more detail), which is the controller. This means that with regards to whatever information the customer puts in the cloud as part of the delivered service, the cloud service provider will in legal terms be processing this information, even if its level of involvement is minimal (e.g. mere storage). In such a relationship between controller and processor, the GDPR requires the controller, i.e. the cloud customer, to choose a reliable and safe processor (i.e. cloud service provider), able to provide sufficient data protection guarantees so that the use of the cloud doesn’t deteriorate the level of protection for the data subjects involved, to whom the information of the cloud customer relates. Depending on the data involved, the cloud customer will be subject to different requirements under the GDPR and will therefore have different requirements to impose on any cloud service providers used. Moreover, the GDPR requires a written contract (called a data processing agreement) to be in place between them, containing a variety of obligatory provisions, and for this contract to be further imposed on any sub-contractors that the cloud service provider should use.

In other words, the GDPR requires parties in a (multi-)cloud relationship to be aware of each other’s requirements/status in terms of the GDPR. A cloud customer will for example not be able to use a cloud service provider which is unwilling to enter into a compliant data protection agreement or provides one that is non-compliant because it does not contain the obligatory clauses. Equally, a certain level of organizational and technical measures ensuring security and confidentiality needs to be in place according to the GDPR in order to allow a cloud customer to enter into business with a specific service provider (because of the general controller obligation to only employ processors providing sufficient guarantees to implement appropriate technical and organisational measures to ensure GDPR compliance).

As such, the GDPR impacts and in a sense limits the choice of cloud service providers. Moreover, if the cloud customer is dealing with sensitive data (e.g. health data) or large and diverse datasets, additional requirements may apply to its processing of that data according to the GDPR, which will then also have an impact on the selection of any cloud service providers the customer should use. For example, the GDPR will impose more stringent requirements on a hospital dealing with health data than on a company dealing with contact information of the contact persons of their suppliers. This will have an impact on the requirements the hospital/the company will have to impose on any cloud service provider they may use for these activities. Since these cloud service providers will be acting as processor, they will equally need to provide for more stringent measures in terms of control, oversight, security, confidentiality etc., appropriate to the more sensitive nature of the processing activity in the context of which the cloud service is being used. It is in this respect that DECIDE needs to be involved and play a facilitating role.

DECIDE will do so by enabling the application developer (i.e. the cloud customer) to enter legally relevant values and metrics into the non-functional requirements of the whole application, which will lead to the DECIDE framework only recommending cloud services which suit the developer’s needs, especially also in terms of GDPR and the level of safeguards the GDPR requires.

As such, DECIDE is fully taking the GDPR into account in its design, ensuring that the use of the DECIDE framework is not another hurdle towards the full GDPR compliance of cloud customers, but rather an enabler. Equally, DECIDE enables cloud service providers to make their GDPR compliance level and the provided safeguards a selling point.