15 August, 2016
Providers of cloud computing services will be faced with new obligations under the General Data Protection Regulation (GDPR), which will come into force on the 25th of May 2018, and the European Directive on Security of Network and Information Systems (NIS-Directive), which will come into force on the 1st of May 2018. Under the GDPR, providers of cloud computing services can often be qualified as a data processor. Data processors under the GDPR are more heavily regulated than under the current Directive 95/46/EC. Furthermore, de NIS-Directive introduces a new requirement for providers of cloud computing services to take adequate security measures and an incident notification obligation. Competent authorities should also have the necessary powers and means to assess the compliance with the obligations set out in the NIS-Directive.
Obligations under General Data Protection Regulation
Recent research shows that most cloud providers are not prepared for the GDPR. Under de GDPR (which replaces the current Directive 95/46/EC) cloud computing services can often be qualified as “processors” within the meaning of the Directive 95/46/EC. Under the GDPR processors will be more heavily regulated: processors can be held directly liable for failing to meet the obligations as set out in the GDPR, whereas that liability now falls unto the data controller. Under the GDPR, data processors will have their own obligation to process personal data lawfully, fairly and in a transparent manner in relation to the data subject. An important obligation for data processors will be the security requirement: data processors are to take appropriate technical and organisational measures to protect personal data against loss or unlawful processing. They should negotiate their processors agreements carefully to establish the right security level.
To prepare for the GDPR, data processors should consider whether the services they offer and the processor agreements they currently have in place or which they are renegotiation or concluding, meet the requirements under the GDPR. Non-compliance with the GDPR can lead to significant fines, thus increasing the liability risks for cloud providers. Would you like to know where the blind spots are for your organisation? Do the privacy compliance check!
The EU Directive on Network and Information Systems (NIS-Directive) aims to ensure a high common level of network and information security across the EU. One of the aspects of the NIS-Directive is a new obligation for digital service providers (including providers of cloud computing services) to take appropriate measures to manage security risks (security requirement). The NIS-Directive also introduces a notification obligation for cyber security incidents. Serious incidents have to be reported to the national competent authorities and/or the CSIRT (Computer Security Incident Response Team). The Netherlands will be implementing the directive into national law in the upcoming months. The regulatory bodies have yet to be identified and an organisation that will be tasked with the CSIRT tasks for digital service providers has to be appointed. Would you like to be up to date about the implementation and how this will affect your organisation? You can! Check our monitoring and intelligence services.
The definition of a cloud computing service
Cloud computing services are services that allow access to a scalable and elastic pool of shareable computing resources. Those computing resources include resources such as networks, servers or other infrastructure, storage, applications and services. The term ‘scalable’ refers to computing resources that are flexibly allocated by the cloud service provider, irrespective of the geographical location of the resources, in order to handle fluctuations in demand. The term ‘elastic pool’ is used to describe those computing resources that are provisioned and released according to demand in order to rapidly increase and decrease resources available depending on workload. The term ‘shareable’ is used to describe those computing resources that are provided to multiple users who share a common access to the service, but where the processing is carried out separately for each user, although the service is provided from the same electronic equipment. (NIS-Directive, recital 17).
Would you, as a provider of cloud computing services, like to know more about your obligations under the GDPR and the NIS-Directive? Or would you like to know how to change or shape your processor agreements in accordance with the GDPR? Feel free to contact us!
Senior Juridisch Consultant
Jacob Kohnstamm, chairman of the CBP (Dutch Data Protection Authority), was quoted at the...