Cloud Data Protection Fitness - A Workout

Size: px

Start display at page:

Download "Cloud Data Protection Fitness - A Workout"

Verity Lucas
8 years ago
Views:

1 Cloudscape March 2016 Cloud Data Protection Fitness - A Workout Dr Kuan Hon k@kuan0.com kuan.hon@pinsentmasons.com

2 General Data Protection Regulation Adoption 2016? Jurists / linguists to finalise 10 Mar meeting In force 2018? 2 year lead time

3 Last year Combining photos by Dennis Hill (cloud) and tanakawho (dog) both under CC BY 2.0

4 Today Photo by Gavin Schaefer under CC BY 2.0

5 Harmonisation, scharmonisation Graphic on Flickr, Winfried reproduced with his kind permission

6 Beware of GDPR FUD Marketing initiatives! not cloud-washing but GDPR-scaremongering But - laypeople interpreting laws They re words, Jim, but not as we know them!

7 So AKA Data Protection Jobs For Life Regulation

Old tech / business models entrenched 1970s outsourcing Controller sub-processor processor Controller processor Processor has exclusive access / control over data delivered Processor s active

8 Old tech / business models entrenched 1970s outsourcing Controller sub-processor processor Controller processor Processor has exclusive access / control over data delivered Processor s active processing of data, as per controller s instructions Processor Cloud Sub-processor(s) controller 1010 Controller 0101 cloud server Controller retains direct access / control over Internet ( shared responsibility ) Controller s own direct self-service processing using processor s service / systems Customised service Commoditised service / system

9 True concern Access to intelligible personal data by provider / others ( cloud or otherwise! ) Control access through law ( eg statutory obligation, contract ) and /or technology ( eg encryption, access controls ) Tech Law

10 GDPR s key changes affecting cloud DPD Controller obligations & liability Controller s processor use - Choose: security only - Contract terms: instructions, security - Ensure compliance GDPR Controller obligations & liability + processor obligations & liability Controller s processor use - Choose: GDPR compliance - Contract terms: + more, & more prescriptive ( cloud.. ) - ( Commission clauses ) - Ensure compliance - Sub-( other ) processors - prior consent / change + terms flow down

11 Practical impact Contracts - processors & controllers o fine if contract non-compliant; no grandfathering! Contracts ending after around mid-2018 add appropriate terms on change of law / change control, so contract can be changed: o compliance with contract terms requirements, & who bears what costs o responsibility & liability allocation, indemnities NB. existing ( even non-cloud ) contracts too

12 Cloud scenarios many sub-processors SaaS Provider IaaS / PaaS Provider Data Centre Provider(s) Cloud Customers ( or with IaaS / PaaS Provider direct ) [ Not just cloud! ] Connectivity Provider(s) ( carriers etc )

13 The workout! Photo by Randy Robertson under CC BY 2.0

14 A B S Accountability ( & Audit rights controller, regulator ) Big fines Board-level issue Security obligations incl. processors NIS Directive overlap?

15 Largest ICO Fine v. 4% Large FS Co s 2014 Global Turnover 18.0 m 16.0 m 14.0 m 12.0 m 10.0 m 8.0 m 6.0 m 4.0 m 2.0 m 0.0 m Large FS Co 2014 (%) 20m = 15.3m 10m = 7.6m 10m 20m 4% 2% Fine

16 B I C E P S Breach notification NIS Directive too any data International transfers incl. onward Customising; Consent ( conditional? ) Enforcement resources? Strategic? Processor obligations, liability, contracts Security by design etc; mitigating fines Photo by PhotoAtelier under CC BY 2.0

17 P E C S Procedures organisational too eg online contracts - forms for info; consents Encryption, tokenisation, anonymisation, pseudonymisation etc. Codes & certifications Start now!!! Cropped from photo by Riordan King under CC BY 2.0

18 Practical points summary Contracts! and international transfers Sector-specific contract terms eg CSA, Eurocloud? - draft & submit for approval Safest to use only the cloud giants? can control supply chain, build EU DCs but enforcement targets? ( tho in own right ) Liability risk, so could others / giants leave EU / stop free services to EU residents?

19 Question Fitness of cloud for data protection laws or Fitness of data protection laws for cloud / new technologies?

20 Killing cloud quickly with DP? The GDPR's coming, soon to be law they say Middle of may be the fateful day! What will this mean for clo-ud? Will cloud be here to sta-ay? Don't want to be pessimistic, not sure how we'll find a way Killing cloud quickly with DP, killing cloud quickly, with DP, tearing up SaaS, PaaS and I-aaS Killing cloud quickly, with DP? Full article Photo of Roberta Flack by Roland Godefroy CC BY SA 2.5

21 Thank you! Dr Kuan Hon Half lawyer half geek mostly harmless Twitter: my domain below; also kuan.hon@pinsentmasons.com blog.kuan.com

Cloud Security under Forthcoming Laws

SecureCloud 2016 25 May 2016 Cloud Security under Forthcoming Laws Kuan Hon kuan.hon@pinsentmasons.com k@kuan0.com The laws, they are a-changin Cloud security under General Data Protection Regulation Proposed