The Application and Impact of GDPR on Cloud Service Providers
A Cloud Service Provider is defined as an organization that offers infrastructure, network services and business applications in the cloud. Organizations and individuals that use cloud services can easily share information and data in the cloud for business and personal purposes. Information and data in the cloud is stored on physical or virtual servers, which reside in the facilities of a cloud service provider.
A Cloud Service Provider is defined as an organization that offers infrastructure, network services and business applications in the cloud. Organizations and individuals that use cloud services can easily share information and data in the cloud for business and personal purposes. Information and data in the cloud is stored on physical or virtual servers, which reside in the facilities of a cloud service provider. These servers are maintained and controlled by the cloud service provider. Cloud service users can access information and data in the cloud via internet connection.
Cloud Service Providers offer three types of services that can be used in the cloud, including Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS).
The Software as a Service (SaaS) is a software distribution model that is owned, delivered and managed by a vendor, who hosts applications over the internet. This model allows designated users to access and use applications via internet connection. Some SaaS vendors also integrate Application Programming Interfaces (APIs) to connect SaaS applications with other applications, in order to meet the customer demands in a particular industry. The main benefits of this model include:
- It provides access to user applications from anywhere in the world when a device is connected to internet.
- It provides a greater security of data found on the cloud.
Examples of vendors that deliver SaaS solutions include Oracle, SAP, Cobweb, Cisco WebEx, Google Apps, Dropbox and more.
The Platform as a Service (PaaS) is a cloud computing model, in which a vendor provides a platform, which can be used by users to develop, manage, customize, test and operate applications. When using this model, organizations can benefit by focusing on the development of applications and not on infrastructure, having a higher level of security, better operating system and backup methods, having the opportunity to develop and host applications in the same environment and more.
Examples of vendors that deliver PaaS solutions include Microsoft Azure, Google App Engine, AWS Elastic Beanstalk, IBM Cloud Platform and more.
The Infrastructure as a Service (IaaS) is a cloud computing model that provides users with access to computing resources such as networking, servers and storage. When using this model, organizations have the opportunity to use their own platforms or applications within the infrastructure of the Cloud Service Provider. The main benefits of this model include:
- It provides the organization with the ability to scale the infrastructure based on the processing and storage needs.
- It enables the organization to save money by avoiding the purchase of a hardware.
- It minimizes the opportunity of data failures on the cloud.
Examples of vendors that deliver IaaS solutions include Amazon Web Services (AWS), Microsoft Azure, Google Compute Engine, Digital Ocean, Rackspace Open Cloud and more.
As an emerging technology, cloud computing solutions have many challenges related to data security and privacy. When an organization decides to move to the cloud, it should take into consider deration the increasing risks of uncontrolled activities, vulnerabilities and data breaches. Another challenge that can be faced by organizations relates to the implementation of measures that lead to compliance with applicable laws and regulations. Considering that multiple divisions of cloud service providers are located in different locations, organizations must have knowledge over the privacy rules of the state they operate in and of the state where their customers data is stored by the cloud service provider. As such, when selecting a cloud service provider data protection and information security matters must be considered.
A Cloud Service Provider that operates within the EU or outside and processes data of EU residents must comply with the requirements of the General Data Protection Regulation (GDPR) in order to proceed its activities and ensue customer satisfaction. The General Data Protection Regulation (GDPR) affects Cloud Service Providers by:
- Setting requirements and principles over the processing activities of personal data.
- Setting lawful basis of processing, providing data subjects with rights such as the right to obtain information, the right to access their information, the right to withdraw their consent, the right to modify their information, and the right to object the processing activities by the cloud service provider.
- Setting requirements regarding privacy by design for those engaged in data processing and controlling activities.
- Setting requirements over data ownership and data portability rights.
- Setting security measures that must be implemented to ensure privacy of data.
- Setting general principles regarding the processing of personal data to international parties and third-countries.
- Setting requirements regarding the management of breaches and incidents.
- Setting requirements regarding the development of contractual agreements and data retention periods and other applicable requirements.
Considering these and other additional GDPR requirements, Cloud Service Providers that fall under the GDPR territorial and material scope are required to take a proactive approach towards the development of a data protection and information security framework that ensure the implementation of the GDPR requirements and appropriate management of personal data and processing activities.
In order to design a framework that ensure compliance of cloud service providers with the GDPR requirements, the following elements must be considered:
The Role of The Cloud Service Provider Under The GDPR
The cloud service provider must clarify its role based on the recruitments set by GDPR. A cloud service provider may be a data processor, data controller, or both. By identifying its role, the applicable GDPR requirements are easier to be determined. Cloud service providers that carry out processing activities can no longer avoid the implementation of security measures as before because GDPR does not exclude them from the list of accountabilities. Therefore, the determination of the roles and responsibilities is the first step that should be taken when seeking to develop a data protection framework.
The Processing Principles
In order to carry out processing activities and its cloud services, the cloud service provider shall ensure that processing principles are being followed. In order to ensure compliance with the processing principles, the cloud service provider shall ensure that measures regarding lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation and integrity and confidentiality of information are defined. The cloud service providers shall use information of the cloud users only upon agreed agreements, and when the information is used requirements of the GDPR must be followed.
The GDPR Requirements Regarding Controller-Processor Relationship
The relationship between the controller and processor is important because it shall be based on an agreement that specifies the role of each party, their responsibilities and rights. In case the controller is the cloud user and the processor is the cloud service provider, an agreement prior to engaging into processing activities must be defined. Such agreement must state how information will be handled, the legal basis of processing, the technical measures implemented by the processor, the code of conducts and the cloud user protection requirements.
In case the cloud service provider engages sub-processors into processing activities, additional contractual agreement must be made. Such agreements authorize sub-processors and processors carry out processing activities in compliance with the GDPR requirements.
Appropriate measures that ensure a level of security on the cloud must be implemented by the cloud service provider. Such measures shall ensure ongoing confidentiality, integrity, availability and resilience of the processing system and the ability to restore and access personal data in case of an incident. The cloud service provider must be able to test the effectiveness of the technical and organizational measures in order to ensure security of processing and provide a safe information hosting environment for the cloud users.
Data Retention Periods
The data retention period is the length of time that the cloud service provider stores the cloud user data. The cloud service provider must establish data retention period even though under GDPR there no specific retention periods established. When setting the retention periods, two factors such as the purposes for processing personal data and the legal requirements for retaining it must be considered. The cloud service provider or any other organization has the right to retain data for unlimited period of time for compliance and legal purposes, however the cloud user shall be informed in case of such event.
Location of Data
Location of the data is one of the most important elements that should be considered when designing a data protection framework. This element is important because the location of the data identifies the need for implementing security measures, adequacy decisions, binding rules, and more. Cloud service providers are known to have multiple sites around the world where data of cloud users is stored and handled. Considering that the GDPR requirements cover organizations that operate within the EU or process data of EU citizens, data mapping and location identification activities must be considered. The cloud service provider must ensure that information is stored in safe locations and that agreements with the state in which it operates exist. Through such agreements, the cloud service provider is able to carry our processing activities based on appropriate safeguards and minimize the risk of information breaches.
Donika Mucolli Pacolli is the Training and Development Supervisor of TRECCERT. As a methodical and amenable professional with years of experience in training development, she has been engaged in the development of numerous training courses based on ISO standards and GDPR. Donika is a lifelong learner with an ongoing curiosity, which is evidenced in her current role where she has already managed to oversee the development, review and improvement of TRECCERT training materials.