New regulation hits Cloud Computing Service who hold EU citizen data in 2018
UK Data Protection Act (DPA) is almost 20 years old
The Data Protection Act dates since 1998, which governs the way personal information gets used by organizations, businesses and governments. It is enforced by the Information Commissioner Office, which reports directly to the UK parliament. The act was formulated around principles such as: data should be used fairly, securely, accurately, adequately and within the European Economic Area.
However, in 1998 when the Data Protection Act was released, internet adoption was very different to what it is today. For instance:
- The number of internet world users were 40 million, concentrated mainly in: USA, Canada, Australia, New Zealand, Iceland, Netherlands, Switzerland, Denmark and Sweden
- No smartphone existed (started in 2007)
- Commercial service of the cloud was not born
- Computers stored 1 GB of data as opposed to 1 TB of data
- Youtube, Facebook, Twitter, Snapchat did not exist
So how come the legislation lasted so long?
UK regulators like to opt for principle based laws as opposed to rule based. This framework provides a time cushion and flexibility around how to enforce these laws as all the principles (accuracy, adequacy, security etc.) can be reinterpreted considering the context. Nonetheless there was a realization that the current regulation was no longer fit for purpose.
Welcome, GDPR.
The General Data Protection Regulation goes beyond the existing DPA rules. It is primarily for those who have responsibility vis a vis data protection, referred to as “controllers” and “processors”. The controller directs the “why” and “how” the data is being processed whilst the processors executes the work needed.
Processors have a higher legal liability and are meant to keep a very tidy audit trail to evidence good controls. Controllers on the other hand need to ensure they have the right contractual agreements/SLAs in place to delegate the work.
The key difference between GDPR and DPA is accountability, as businesses and organizations will need to organise staff training, HR reviews, audits, process documentation and new policies to demonstrate that they are compliant with the new regulation.
For a comprehensive comparison between the two regulations please refer to the table below:
Table 1: Difference between DPA (1998) and GDPR (2018)
Criteria | DPA | GDPR |
Jurisdictions | UK | EU and all global companies that hold data on EU citizens |
Enforcement | Information Commissioner’s Office | Supervisory Authority of each country |
Penalties | 500,000 GBP or 1% turnover | €20 million or 4% of the businesses annual global turnover |
Consent | consent to process personal data is ‘freely given, specific and informed’ | Consent must be “unambiguous” and purpose for which personal data will be used must be made explicit |
Corporates | No requirement for data protection officer | A data protection officer is required for any corporate or organisation with more than 250 employees |
Data Breaches | Businesses are encouraged but not obliged to report data breaches | All breaches must be reported to the Supervisory Authority within 72 hours of the incident |
Right to be forgotten | There is no requirement for an organisation to remove any data they store on any individual | Any individual will have the ‘Right to erasure’ –which means all their data can be permanently deleted |
Right to data Portability | No format is currently enforced | Guarantee the ease of changing host provider by providing data in a standard structured format ‘without hindrance’. |
Protection Impact Assessment (1) | PIAs is encouraged but is not a legal requirement | An impact assessment is required if you are about to engage in activities or project that pose an increased risk to data privacy |
(1) “Privacy impact assessments (PIAs) are a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy.” Information Commissioner’s Office
GDPR impact on Cloud Service Providers
Cloud Service Providers are considered the data “processors” as per the definition above. That means they can no longer hide behind the premise of being a mere service provider, and will need to adapt their processes, documentation and client agreements accordingly, to prevent control failures and resulting reputational damage and monetary fines. Of key importance is Article 26 ‘the processor shall not enlist another processor without the prior specific or general written consent of the controller’, which means the same diligence will need to be adopted industry wide to remain competitive.
Google, Microsoft and AWS have already announced that they are making headway with the regulation and are looking to be fully compliant by the deadline.
Does this matter to the UK with Brexit? Many debates have happened around whether the UK will need to comply by the new rules considering Brexit. Most of the available literature on that matters puts to a positive answer. This is primarily because 1) Brexit will only take affect after GDPR goes live and 2) GDPR has been regarded as the golden standard for digital regulation and the UK took part in all the preparation work. The UK Government has renewed its commitment to reduce any negative effects from sudden departure from EU rules by working on the Great Repeal Bill, which will absorb all EU legislation into domestic UK law.
[1] Gov.UK, Data Protection, The Data Protection Act Link: https://www.gov.uk/data-protection/the-data-protection-act
[2] IT Governance, EU General Data Protection Regulation: A Compliance Guide (December 2016) Link: https://www.itgovernance.co.uk/dpa-penalties
[3] J David, Shoos Smith, New EU data protection regulation: compliance in an evolving privacy landscape (April 2016) Link: http://www.shoosmiths.co.uk/client-resources/legal-updates/compliance-in-a-new-privacy-landscape-11155.aspx
[4] C. Graham, Information Commissioner’s Office, Conducting privacy impact assessments code of practice (Feb 2014) Link: https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf
[5] Information Commissioner’s Office, Overview of GDPR, https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/individuals-rights/the-right-to-erasure/
[6] M Webber, Fieldfisher, Privacy & Data Protection Journal [Vol 16, Issue 4], The GDPR’s impact on the cloud service provider as a processor (March 2016) Link: http://www.fieldfisher.com/media/3993765/the-gdprs-impact-on-the-cloud-service-provider-as-a-processor-mark-webber-privacy-data-protection.pdf
[7] European Commission- Digital Single Market, Research in Future Cloud Computing, (2012) Link: https://ec.europa.eu/digital-single-market/
Users who have LIKED this post: