Cloudscape 2016 8 March 2016 Cloud Data Protection Fitness - A Workout Dr Kuan Hon k@kuan0.com kuan.hon@pinsentmasons.com
General Data Protection Regulation Adoption 2016? Jurists / linguists to finalise 10 Mar meeting In force 2018? 2 year lead time
Last year Combining photos by Dennis Hill (cloud) and tanakawho (dog) both under CC BY 2.0
Today Photo by Gavin Schaefer under CC BY 2.0
Harmonisation, scharmonisation Graphic on Flickr, Winfried Veil @winfriedveil, reproduced with his kind permission
Beware of GDPR FUD Marketing initiatives! not cloud-washing but GDPR-scaremongering But - laypeople interpreting laws They re words, Jim, but not as we know them!
So AKA Data Protection Jobs For Life Regulation
Old tech / business models entrenched 1970s outsourcing Controller sub-processor processor Controller processor Processor has exclusive access / control over data delivered Processor s active processing of data, as per controller s instructions Processor Cloud Sub-processor(s) controller 1010 Controller 0101 cloud server Controller retains direct access / control over Internet ( shared responsibility ) Controller s own direct self-service processing using processor s service / systems Customised service Commoditised service / system
True concern Access to intelligible personal data by provider / others ( cloud or otherwise! ) Control access through law ( eg statutory obligation, contract ) and /or technology ( eg encryption, access controls ) Tech Law
GDPR s key changes affecting cloud DPD Controller obligations & liability Controller s processor use - Choose: security only - Contract terms: instructions, security - Ensure compliance GDPR Controller obligations & liability + processor obligations & liability Controller s processor use - Choose: GDPR compliance - Contract terms: + more, & more prescriptive ( cloud.. ) - ( Commission clauses ) - Ensure compliance - Sub-( other ) processors - prior consent / change + terms flow down
Practical impact Contracts - processors & controllers o fine if contract non-compliant; no grandfathering! Contracts ending after around mid-2018 add appropriate terms on change of law / change control, so contract can be changed: o compliance with contract terms requirements, & who bears what costs o responsibility & liability allocation, indemnities NB. existing ( even non-cloud ) contracts too
Cloud scenarios many sub-processors SaaS Provider IaaS / PaaS Provider Data Centre Provider(s) Cloud Customers ( or with IaaS / PaaS Provider direct ) [ Not just cloud! ] Connectivity Provider(s) ( carriers etc )
The workout! Photo by Randy Robertson under CC BY 2.0
A B S Accountability ( & Audit rights controller, regulator ) Big fines Board-level issue Security obligations incl. processors NIS Directive overlap?
Largest ICO Fine v. 4% Large FS Co s 2014 Global Turnover 18.0 m 16.0 m 14.0 m 12.0 m 10.0 m 8.0 m 6.0 m 4.0 m 2.0 m 0.0 m 2010 2011 2012 2013 2014 2015 Large FS Co 2014 (%) 20m = 15.3m 10m = 7.6m 10m 20m 4% 2% Fine
B I C E P S Breach notification NIS Directive too any data International transfers incl. onward Customising; Consent ( conditional? ) Enforcement resources? Strategic? Processor obligations, liability, contracts Security by design etc; mitigating fines Photo by PhotoAtelier under CC BY 2.0
P E C S Procedures organisational too eg online contracts - forms for info; consents Encryption, tokenisation, anonymisation, pseudonymisation etc. Codes & certifications Start now!!! Cropped from photo by Riordan King under CC BY 2.0
Practical points summary Contracts! and international transfers Sector-specific contract terms eg CSA, Eurocloud? - draft & submit for approval Safest to use only the cloud giants? can control supply chain, build EU DCs but enforcement targets? ( tho in own right ) Liability risk, so could others / giants leave EU / stop free services to EU residents?
Question Fitness of cloud for data protection laws or Fitness of data protection laws for cloud / new technologies?
Killing cloud quickly with DP? The GDPR's coming, soon to be law they say Middle of 20-18 may be the fateful day! What will this mean for clo-ud? Will cloud be here to sta-ay? Don't want to be pessimistic, not sure how we'll find a way Killing cloud quickly with DP, killing cloud quickly, with DP, tearing up SaaS, PaaS and I-aaS Killing cloud quickly, with DP? Full article www.scl.org/site.aspx?i=ed46375 Photo of Roberta Flack by Roland Godefroy CC BY SA 2.5
Thank you! Dr Kuan Hon Half lawyer half geek mostly harmless Twitter: Email: k @ my domain below; also kuan.hon@pinsentmasons.com www.kuan.com blog.kuan.com