Updated: Apr 13
Cloud providers can satisfy the compliance needs of businesses, including those in regulated sectors, without compromising their own operations and security as a result of the way the General Data Protection Regulation (GDPR) is worded.
Data protection laws apply to businesses that process personal data in the cloud in the same way that they do if the business processes that information on their own IT infrastructure. It means cloud customers must satisfy themselves that their cloud provider operates in a way that enables them to meet their own data protection obligations.
In regulated sectors, such as financial services, further sector-specific regulations will also apply to cloud customers and create potential barriers to cloud adoption. This is something that cloud providers recognise they must address to win business from regulated companies, such as banks.
However, cloud providers have a legitimate right to protect their own interests, not least to ensure they can operate efficiently and securely and manage costs. On the face of it, meeting the compliance requirements of banks can create a tension in this respect.
There is scope within the wording of the GDPR, though, for cloud providers to help banks satisfy themselves that their cloud arrangements comply with rules such as those on sub-contracting, auditing and breach notification without undermining providers' operational efficiency and security.
Cloud providers will use sub-contractors when delivering services to banks. Both financial services rules and the GDPR put an onus on banks to have oversight of sub-contracting arrangements, and the cloud supply chain as a whole.
According to cloud outsourcing guidance developed by the European Banking Authority (EBA), financial institutions are required to maintain a list of the names of any subcontractors involved in both material and non-material cloud outsourcing arrangements they have in place.
The GDPR allows banks to give a general written authorisation to cloud providers to use other businesses further down their supply chain to process personal data. However, where a general written authorisation has been received, cloud providers must notify banks where it intends to make any changes concerning the addition or replacement of other processors, to allow banks to "object to such changes" if they wish.
Although disclosing the identity of sub-contractors is unlikely to cause a problem for cloud providers in most cases, there are good reasons why they may like to keep the identity of some sub-contractors confidential. Disclosing the identity of a sub-contractor may in certain cases pose a security risk, for example, if it could help cyber criminals focus attacks on their network.
However, it is open to cloud providers to apply a purposeful interpretation of the EBA guidance on sub-contracting, and the GDPR's sub-processing rules, and exclude from the scope of notification the identity of any third parties that do not provide services they consider to form part of the outsourced services, in the case of the EBA's guidance, and any third parties which will not be tasked with processing personal data for the cloud provider, in the case of the sub-processing rules.
Access and auditing
One of the other barriers to cloud adoption that banks in the EU often encounter concerns how they comply with rules on access and audit rights set out in financial services law.
EU law requires financial institutions, when engaged in 'material' cloud outsourcing arrangements, to ensure they, or their auditors, as well as regulators, have rights to physically access the premises of cloud providers.
Industry has long pushed for the right to meet the access and auditing requirements by agreeing rights of virtual access to their data held by cloud providers instead of through the provision of physical access to their premises. However, in its guidance paper, the EBA confirmed that banks that make provision for virtual access to cloud-based systems and data must nevertheless also ensure that cloud agreements provide for physical access and audit rights too.
There have been different interpretations across the banking sector of the precise scope of the requirements on them to provide for access to cloud providers' business premises. It has been unclear, for example, whether rights of access to cloud providers' data centres should be contractually stipulated.
In its guidance, the EBA said definitively that access to data centres should be provided for where they are "actually used for providing the services outsourced".
The EBA explained, however, that while banks must contractually assure full rights of access and audits, they are free to exercise such rights "in a risk-based manner". It said banks can rely on third party audit reports or certifications, and further backed 'pooled audits' as means by which access and audit rights can be complied with.
Pooled audits can also serve to enable banks to meet their obligations under the GDPR when they outsource to the cloud.
Under the GDPR, banks must be able to demonstrate that data processing takes place in accordance with the Regulation, including when engaging with third party data processors.
Cloud providers are obliged to make "all information necessary" to banks to enable them to demonstrate compliance and to "allow for and contribute to audits, including inspections" that banks or their auditors wish to carry out, according to the GDPR's provisions.
There is scope for cloud providers to facilitate banks' compliance with the EBA's guidance and the GDPR by providing third party audit reports in the first instance and enabling access to premises within the context of periodic pooled audits to satisfy any further queries that banks may have regarding data processing and security arrangements.
This approach would respect the spirit of the regulatory and legal requirements banks are subject to, while offering a sensible solution for cloud providers to limit the amount of times that they must open their doors to auditors, thereby minimising their own security risks and costs.
Under the GDPR, banks will generally be required to notify local data protection authorities of personal data breaches they have experienced "without undue delay and, where feasible, not later than 72 hours after having become aware of it … unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons".
Where personal data processing has been outsourced by banks to cloud providers, the cloud providers would, "without undue delay after becoming aware of a personal data breach", have to inform the bank of the incident, according to the Regulation.
The Article 29 Working Party, which is a committee made up of representatives of data protection authorities from across the EU, issued draft guidance in 2017 which suggested that banks would be considered to be 'aware' of a data breach at their cloud provider when the cloud provider was itself 'aware' of the breach.
That strict reading of the law would have presented a serious risk to banks and other data controllers that outsource functions involving personal data processing due to the tight timeframes involved for disclosing a breach.
However, that position was updated in the Working Party's finalised data breach notification guidance. It means that, generally, banks will only be said to be aware of data breaches when cloud providers notify them of the breach.
This approach offers welcome flexibility to cloud providers over how to arrange their internal breach reporting process, particularly given the 'one to many' services they offer and the need to maintain operational rigour across their customer base. It also offers flexibility over the contractual deadlines they commit to in their agreements with banks.
We might expect some cloud providers to follow the wording of the GDPR and promise only to disclose data breaches to banks 'without undue delay', while others may be bolder in promising notification of incidents within set deadlines. Either approach would not on the face of it undermine banks' ability to comply with their own data breach notification obligations.
This article was published in Out-law.