GDPR - A recap on the changes

GDPR enhances the rights and principles already defined in the directive and the DPA however it also introduced some more significant changes, including the

  • Requirement to actively demonstrate compliance and document processing activities.
  • Greater powers for supervisory authorities and increased reliefs available to Data subjects.
  • The office of the data protection commissioner (ODPC) now has the ability to issue fines for non-compliance. A recent example of this; WhatsApp was issued a €225 million fine for breaching privacy regulations (BBC 2021).
  • Mandatory reporting of data privacy breaches to the appropriate supervisory authority.
  • Introduction of ‘privacy by design’ as a concept when developing, designing, selecting and using applications, services and products that are based on the processing of personal data.
  • Requirement to complete privacy impact assessments (PIAs) for change activity where there is a “high risk to the rights and freedoms” of the data subject or where processing is likely to be carried out on a large scale.

These changes and recommendations are complemented by guidance from other supervisory bodies such as the information commissioners office (ICO) in the UK who have advised organisations to consider the following:

Information you hold; awareness and communication; rights of individuals; data subjects access requests; legal basis for processing; consent; processing of children’s data; data breach reporting; privacy by design and pia’s; data transfers and appointment of data protection officers (DPO’s).

If you want to find out more about GDPR, read our blog: Data protection in SaaS, Who's responsible for what?


Data protection in SaaS – Who is responsible for what?

Although Europe already has some of the world’s most stringent data protection laws, those protections were upgraded when the general data protection regulation (GDPR) came into force in may 2018. Although it is obvious who is responsible for maintaining security of data held in in-house systems (you are), the modern operating environment is much more complicated.

The average organisation now uses 1427 cloud services, which means that there are potentially 1427 points at which your business may expose sensitive personal data.

 

Who is a data controller and who is a data processor?

Under GDPR, your business is known as a “data controller” – you are the body who has obtained personal data and outlined how it will be used. The data controller bears the greatest responsibility for ensuring information is properly protected against loss, theft or unauthorised sharing.

Every cloud provider you use must share some of that responsibility however, as they will now be classified as “data processors”. By accepting your business, data processors agree to be bound by the same terms as you – to protect personal data against, loss, theft or unauthorised sharing.

 

What is your cloud provider's responsibility?

In the past, data processors – like cloud service providers – had no real responsibility to understand the information held on behalf of their clients. Under GDPR this has changed slightly – the processor must at least maintain logs of data access for use in any investigation following a reported GDPR breach.

It is also extremely important to understand whether you, or your cloud provider, is responsible for implementing security. For PAAS/IAAS services which provide a basic platform on which your company builds its own systems (think amazon AWS and Microsoft Azure), you are most likely responsible for security provisions – so you will bear the greatest burden under GDPR.

If, on the other hand your cloud provider offers security as part of a SAAS package, they are most likely responsible for maintaining safeguards to protect your customers’ data. We say “most likely” because the GDPR does not specifically divide responsibility. Instead, your business must agree which party will take responsibility for each aspect of security. These agreements must be detailed in your service contract too.

 

Non-EU providers are still bound by GDPR

According to GDPR, any business processing data belonging to EU citizens has the same data protection responsibilities – and will be prosecuted to exactly the same extent as a local organisation in the same position. This means that google-based services – which have historically been delivered from data centres in the US – will have to adhere to GDPR.

Importantly, your business will need to negotiate GDPR-compliant contracts with businesses outside the EU. If an agreement is not possible, you will need to seek an alternative provider. Larger companies may not be able to offer sufficient flexibility to meet the specific contractual needs of your business and its customers, so consider this when negotiating.

Ignoring GDPR compliance is not an option – nor is assuming that investigators will automatically divide responsibility between parties.

Ultimately you, as the data controller, will hold the majority of the data protection obligations – but you need to be clear where there are any overlaps, and address them with your partners. Otherwise, you could be found liable for data loss – regardless of whether the incident occurred in your data centre, or that of your SAAS provider.