GDPR and Brexit -- Is your cloud provider ready for the UK 'being treated like a third country'?
The UK government has always maintained that following Brexit, the European Union’s General Data Protection Regulation (GDPR) will be absorbed into UK law. This means that there will be no material changes to the data protection rules that organizations in the UK will need to follow.
However, the French data protection regulator has recently said that in the event of a no-deal Brexit and absence of an adequacy decision, it will treat the UK like any other country that is outside the European Economic Area. In other words, it will treat the UK as a "third country." It’s likely that other EU country regulators will take this approach too -- and such decisions have legal implications for organizations.
For starters, organizations will need to put new processes in place for data transfers by data controllers and data processors. Just as importantly, organizations need to have a good understanding of the operations and remit of their cloud services providers. For example, if their cloud services are not based in the UK, organizations -- especially those with multi-jurisdictional presence -- could be at risk of running afoul of data protection regulations.
Any organization that wants to get ahead of this situation needs to ask their cloud vendor several key questions -- and pay close attention to the answers -- to ensure they’re ready for whatever Brexit may bring.
Question #1 for any cloud vendor: "Can you successfully migrate data out of the UK to another location?"
Many cloud vendors have datacenters -- and therefore, client data -- located in the UK. In the event that the UK is no longer part of the EU, many organizations may prefer to make sure that their data resides somewhere that is part of the EU, to avoid having to rely on appropriate safeguards pursuant to Article 46 of GDPR to store their data in the UK.
Does your cloud vendor have datacenters that are already built and fully operational in the EU? If not, that’s obviously a concern if you prefer to store your data in the EU -- but even if they do have datacenters in places like, say, Germany, or The Netherlands, how easy is it for them to move your data out of the UK to one of these other countries?
For some cloud vendors, this will be a seamless transition. For other vendors, due to their architecture, it will be very difficult for them to pull off this migration easily. It is wise, then, to ask your vendor how prepared they are to move their customers to a different location -- not just "do you have datacenters in the EU?" but also "how quickly and easily can you transition existing customers to these datacenters?"
Question #2 for any cloud vendor: "Who is your DPO?"
Any customer organization that transacts with a cloud vendor is entrusting that vendor with a significant amount of data. What is the cloud vendor doing to protect that data -- and are they protecting it to the level GDPR requires?
Article 37 of GDPR requires the designation of a data protection officer (DPO) in certain situations. GDPR provides some leeway as to who needs to designate a DPO and who can serve as a DPO: it can be an individual, or it can be an organization.
Regardless of who serves as DPO, they have a significant amount of responsibility on their plate. According to Article 39 of GDPR, a DPO’s responsibilities include the following:
- to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
- to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- to provide advice where requested as regards the data protection impact assessment and monitor its performance
- to cooperate with the supervisory authority;
- to act as the contact point for the supervisory authority on issues relating to processing
If your cloud vendor hasn’t appointed a DPO, even if not required by GDPR, that could be cause for concern, given the importance of controllers complying with GDPR. Amongst those vendors who have appointed a DPO, it bears taking a closer look at who’s serving in that role.
Many vendors appoint an individual within their own organization to serve as their DPO -- and this individual may be perfectly capable of carrying out the duties and responsibilities that are required of them. However, when the DPO is a member of the same organization they’re supposed to be monitoring, there may be situations where the potential for a conflict of interest arises, such as when the DPO needs the upmost independence to carry out his/her duties. Certainly, the DPO should not be carrying out activities where he/she determines the purpose and means of processing data so having other internal tasks that would blur their role with that of the controller would require careful assessment.
Many cloud vendors have decided to avoid any potential conflicts by specifically appointing a third-party organization to serve as DPO. After all, when an organization is undergoing a financial audit, they hire a third-party accounting firm. When they’re undergoing a security audit, they hire third-party auditors. Simply put, there’s value in attestation that comes from the outside rather than from within an organization.
Look for vendors that are thinking one step ahead and will be able to provide outside auditors for privacy, the same way many organizations already do for financials or security. While there may not be a certifying body in place yet for privacy, there will be soon -- and those vendors that have taken the time and effort to create that level of separation between themselves and their DPO will be best positioned to approach regulatory compliance with as much diligence as possible.
Start preparing now
No one knows for certain what will happen with Brexit. But in order to ensure they’re not running into any GDPR compliance issues, organizations need to start thinking about these issues now, to ensure their cloud vendors are prepared for whatever lies ahead. Asking the questions above will help organizations ensure that they’re partnering with a cloud vendor that is making the very best efforts to prepare for and comply with GDPR in the event the UK becomes a "third country."
As General Manager, Dan Dosen is responsible for the commercial aspects of the iManage cloud including customer onboarding, security-compliance and cloud roadmap. Most recently he was VP Business Development at Microsystems and VP Product Management at SpringCM.