As businesses consider the impact of GDPR, the topic of cloud apps (Salesforce, Dropbox, WeTransfer, etc.) and service providers is starting to be discussed.  A number of common themes are emerging, as evidenced by the recent Netskope and Deloitte reports.

As a general comment, enterprises that use cloud service providers expect that the privacy commitments they have made to their own customers and employees will continue to apply to the cloud service provider.  However, there are specific areas that require consideration:

1. Know the location where cloud apps are processing or storing data. The application vendor’s HQ is seldom where the data is being stored. Data can be moved around between various data centres. Because data can be stored within multiple locations by cloud service providers, it might be possible that personal data is stored outside the EEA. Controllers (i.e.  the enterprise) will need to define a multi-country cloud strategy to adhere to adequacy requirements as well as local data laws. If such a provider operates in many jurisdictions, the rights of data subjects may be subject to different conditions as well. 

2. Take adequate security measures to protect personal data from loss, alteration, or unauthorised processing. You need to know which apps meet your security standards and set up controls for ones that don’t. 

3. Collect only necessary data and limit the processing of “special” data. Specify in the data processing agreement that only the personal data needed to perform the app’s function is collected by your organisation and nothing more.  There are limits on “special” data, which includes race, ethnicity, political views, religion etc.

4. Don’t allow cloud apps to use personal data for other purposes. State clearly in your data processing agreement that the customer owns the data and it is not shared with third parties. It must be possible for the controller to retrieve the data in a structured, commonly used format to provide to the data subject or another controller. 

5. Ensure that you can erase the data when you stop using the app. Make sure that you can download your own data immediately and that the app will erase your data once you’ve terminated service. The more immediate (i.e. less than a week), the better, as the longer it takes, the higher the risk of exposure.

6. The contract should define a breach event and describe a procedure for the provider to notify your enterprise about any breaches without undue delay. Even if the cloud provider experiences a data breach that impacts multiple customers, you should be responsible for external communications and manage the overall breach with their support. What controllers don’t want is a breach making headlines before their provider notifies them of the breach and before the controller is able to notify local authorities. As a controller you are not in control over the cloud provider’s (IT) environment and you must rely upon (IT) controls that the provider has in place. Therefore, it is always necessary to assess to what extent the provider can comply with your IT Security requirements.

GDPR has implications in many areas and it is important that you are aware of them. No doubt there will be plenty more issues to resolve before GDPR goes live in May 2018.