Cloud & SaaS - GDPR Requirements in Practice
FACT: More and more businesses are using cloud software solutions.
It is therefore important to look at the legal framework in respect of data protection, insofar as it is applicable to software providers.
Nowadays, most people use Software as a Service (SaaS) in business or in their personal lives - for example, through CRM systems, online banking, e-commerce and web services (such as Amazon).
Unsurprisingly, when using SaaS solutions or cloud software and storage, masses of personal data are processed and stored within these platforms, and when talking about personal data - the GDPR needs to be taken into account (at least where services are provided within the EU or involve personal data belonging to EU residents).
Who are the key players in the SaaS environment from a GDPR perspective?
The data controller: A customer purchasing the cloud computing service. The customer remains the controller during the whole duration of the contractual relationship.
The natural person (individual) whose personal data are processed and collected through the cloud service (applicant, customer data etc).
The data subject does not have a direct relationship with the cloud service provider but only with the controller. The controller has obligations towards the data subject in terms of transparency.
The cloud service provider: A technical data processor. This is only an incidental processing of data and the aim in itself is to run the service.
Sub-processors that are engaged by the processor, typically there is no relationship between the controller and the sub-processor. But there is always a chain of contracts from the controller to the processor and to any sub-processor.
The conclusion of a Data Protection Agreement (DPA) between the controller and the processor is therefore a compulsory requirement between cloud providers and their customers to ensure compliance with the GDPR.
GDPR: What is new for Cloud and SaaS?
For cloud services, nothing major or negative has happened since the GDPR apart from a few additional safeguards for customers and controllers which need to be implemented.
DPAs in the form of Standard Contractual Clauses (SCCs) for international transfers often remain the legal basis (and GDPR has not really changed anything in this respect). However, we note that:
There are more obligations on processors which results in less risk on controllers for processors’ failings (such as an obligation to provide assistance in GDPR matters).
The GDPR is not drafted from a commercial perspective and compliance is not the easiest task for businesses to undertake - although this is not an issue specific to cloud computing.
In this respect, the use of an established cloud provider might help controllers to meet their accountability and documentation obligations under the GDPR.
Controllers need to document why they chose a certain provider, solution or process, and why that choice is in line with GDPR.
Of course, the requirement to adhere to the data security and data confidentiality provisions in the GDPR is arguably a lesser burden if controllers use an established provider with a track record for compliance and robust systems.
For SaaS and cloud software providers, it is therefore key that you have robust systems in place in order to meet your compliance and IT security obligations under the GDPR, and to be able to fulfill your role as processor and all of the rights and obligations which are attached to that status - for example by conducing a Data Protection Impact Assessment (DPIA), developing your product in accordance with Privacy By Design principles or by providing your customers with suitably drafted DPAs which are fully adapted to your service and the associated risks.
For business customers and users of these services, you also need to make sure that you have proper contracts in place covering such things as data transfers, liability and indemnities, and that you properly audit your potential suppliers - especially if you are using these solutions to manage personal data!
If you wish to discuss further or need any specific advice, do not hesitate to get in touch!
Article by Marie Mortreux and Charlotte Gerrish @ Gerrish Legal, November 2018