Although Europe already has some of the world’s most stringent data protection laws, those protections were upgraded when the general data protection regulation (GDPR) came into force in may 2018. Although it is obvious who is responsible for maintaining security of data held in in-house systems (you are), the modern operating environment is much more complicated.

The average organisation now uses 1427 cloud services, which means that there are potentially 1427 points at which your business may expose sensitive personal data.


Who is a data controller and who is a data processor?

Under GDPR, your business is known as a “data controller” – you are the body who has obtained personal data and outlined how it will be used. The data controller bears the greatest responsibility for ensuring information is properly protected against loss, theft or unauthorised sharing.

Every cloud provider you use must share some of that responsibility however, as they will now be classified as “data processors”. By accepting your business, data processors agree to be bound by the same terms as you – to protect personal data against, loss, theft or unauthorised sharing.


What is your cloud provider’s responsibility?

In the past, data processors – like cloud service providers – had no real responsibility to understand the information held on behalf of their clients. Under GDPR this has changed slightly – the processor must at least maintain logs of data access for use in any investigation following a reported GDPR breach.

It is also extremely important to understand whether you, or your cloud provider, is responsible for implementing security. For PAAS/IAAS services which provide a basic platform on which your company builds its own systems (think amazon AWS and Microsoft Azure), you are most likely responsible for security provisions – so you will bear the greatest burden under GDPR.

If, on the other hand your cloud provider offers security as part of a SAAS package, they are most likely responsible for maintaining safeguards to protect your customers’ data. We say “most likely” because the GDPR does not specifically divide responsibility. Instead, your business must agree which party will take responsibility for each aspect of security. These agreements must be detailed in your service contract too.


Non-EU providers are still bound by GDPR

According to GDPR, any business processing data belonging to EU citizens has the same data protection responsibilities – and will be prosecuted to exactly the same extent as a local organisation in the same position. This means that google-based services – which have historically been delivered from data centres in the US – will have to adhere to GDPR.

Importantly, your business will need to negotiate GDPR-compliant contracts with businesses outside the EU. If an agreement is not possible, you will need to seek an alternative provider. Larger companies may not be able to offer sufficient flexibility to meet the specific contractual needs of your business and its customers, so consider this when negotiating.

Ignoring GDPR compliance is not an option – nor is assuming that investigators will automatically divide responsibility between parties.

Ultimately you, as the data controller, will hold the majority of the data protection obligations – but you need to be clear where there are any overlaps, and address them with your partners. Otherwise, you could be found liable for data loss – regardless of whether the incident occurred in your data centre, or that of your SAAS provider.