If your business has moved workloads to the cloud, the people who did the moving likely went through the painstaking process of ensuring that any contracted vendors meet various regulatory requirements around storing customer data. But with the General Data Protection Rules (GDPR) set to go into effect at the end of next month, it is a good idea for IT pros to take a second look at the contracts they have with their cloud providers because those contracts must align with GDPR requirements.
Hyperscale cloud vendors -- including Amazon Web Services (AWS), Microsoft, and Google -- have gone through the process of meeting GDPR requirements, but it is incumbent on every company who uses cloud services to make sure nothing has fallen through the cracks. In most cases, this will require getting the advice of legal counsel.
A recent survey of 500 US and EU recruiting professionals involved in preparing their organizations for GDPR compliance found that 73 percent are working with external or internal legal counsel. The scope of the new regulation has motivated companies that use or provide cloud services to consult legal experts to ensure GDPR requirements are met in time for the fast-approaching deadline.
Evolve IP, a cloud service provider based in Wayne, PA, has been working with attorneys in the U.S. and EU on its path to GDPR compliance. The company provides virtual desktops, disaster recovery, IaaS, colocation, and cloud communications services to customers in regulated industries, including healthcare and financial services.
“This time last year we acquired a company in the Netherlands [Mtel] which has thrust us right into the middle of the GDPR conversation,” Evolve IP’s EVP of data engineering Joseph Pedano said. “It was also a very nice addition because they had already done a lot of the leg work, but having jumped into it sort of midstream with them and following up to make sure we are compliant by the May 25 deadline has been an interesting journey to say the least.”
The scope of the regulation and the lack of case law means there is very little in the way of structure around security policies, best practices or frameworks which exist for other established compliance regimes such as PCI and HITRUST, Pedano said. In general, when assessing your cloud providers ability to meet GDPR requirements, be ready to ask questions around retention periods of data, breach notification protocols, data portability, security, and privacy by design.
“The biggest problem that companies are having is data identification,” Pedano said. “Who has their data, where is it, what are the policies surrounding it … a lot of companies are struggling.”
“There’s a specific example where we have consumer-based data in Salesforce that is getting sent to Marketo for marketing purposes. There’s two organizations that have parts of my data that I need to have contractual clauses with,” he said, noting that identifying all the vendors and external touchpoints that may have data access is a huge undertaking for most companies.
London-based technology and privacy lawyer Kolvin Stone said he goes through a discovery process with clients to understand what kind of data they have, how they use it, and who has access to it. This data audit ultimately helps determine their level of exposure to GDPR and their risk profile. Other factors that go into this assessment include the size of the company and the number of European users they have.
When it comes to cloud services startups, the very nature of their business means they are global from day one, he said, which means they can have a high level of risk.
Stone is a partner at Orrick and is the Global Co-Chair of the Cyber, Privacy and Data Innovation, and the Technology Transactions practice. He has helped both cloud service providers and companies that use cloud services meet GDPR requirements. The firm also launched a GDPR Readiness Tool last year to help assess an organization’s current state of compliance with the GDPR.
Once the discovery process is complete, Stone starts to build out a plan for them to comply with GDPR requirements. This involves making sure that the cloud service providers his clients deal with are meeting their obligations. This goes beyond just a contract, he said.
“You need to ask several questions of service providers before you engage with them,” Stone said, including understanding where they process data. “You have an obligation to understand where data is.”
Under GDPR requirements, personal data may not be stored longer than needed, and once the retention period has expired, it must be deleted. This is arguably an easier process with data stored locally than in the cloud.
“The difficulty here is that data can be stored on multiple locations, under multiple jurisdictions, by cloud service providers, and therefore there is the challenge to identify and manage multi-jurisdictional retention requirements,” Deloitte said in its GDPR guidelines. “The deletion of data will also impose a challenge. To delete data completely, backups must be taken into consideration as well. Therefore, it is important to have a clear overview of how backups are secured and retention is managed by your cloud service providers.”
Tim Vogel, VP of compliance and security at Evolve IP, agrees that backups in the cloud can make GDPR compliance more complicated. If a customer requests that a business lose their information under the right to be forgotten, and a business has 30-60-90 day or in some cases 7 years’ worth of backups, that is a lot of work on the part of the company to locate the right information.
“Over time as you start seeing more case law, we will see specific guidance on these specific issues,” Vogel said.
In addition to understanding where end-user data is held, it is up to the customer to make sure that a vendor is fit for purpose, and has appropriate security measures in place, for example, offering encryption or making sure their product or app is not collecting more data than necessary, Stone said.
Evolve IP uses standard contractual clauses (SCCs) based on a template from the EU Commission to define the data that is shared between two organizations. Pedano said that while the contracts are helpful for third-parties, they have also been helpful in identifying data internally that is shared between its EU and US subsidiaries.
Pedano said he has started to see vendors he works with send over copies of these contracts, but for the most part vendors are not being particularly proactive in meeting GDPR requirements. He said only four vendors have reached out or provided a webinar around GDPR.
“Given that I work with hundreds of vendors that tells you how many are being proactive about this,” Pedano said.
“I believe a lot of people are being ignorant or wait-and-see or doing the minimum amount possible and over time, this is a very immature guidance and regulation, and as it gets mature, or someone gets made an example of, you’ll start to see people catch up.”
Stone said it is unlikely regulators are going to bang your door down on May 25, 2018 for non-compliance, but “if you don’t get your house in order, the risk increases, and there is going to be an issue.”