Virtustream Blog

The GDPR Spirit - One Year Later

in Compliance, Cloud, Trust

The General Data Protection Regulation, otherwise known as the GDPR, has been the buzz lately in data privacy, and we all know why…. the PENALTIES! For the most part, the obligations are not revolutionary, but the penalties have upped the ante for any company that was superficially complying with European data privacy laws. Privacy Regulators can issue, depending upon the GDPR provision violated, a maximum monetary fine of either (i) 10 million euros or 2% of global annual revenue or (ii) 20 million euros or 4% of global annual revenue; severe penalties for a company of any size. I won’t belabor you with a blog on what GDPR is, as Virtustream has published a white paper on the GDPR. Instead let's dive deeper into the GDPR spirit, the enforcement climate, and the basic (not all) GDPR obligations with which your Infrastructure as a Service (“IaaS”) provider should be complying.

Real World Impact

The GDPR is being enforced in a highly politicized environment, with privacy activists fighting from the perspective that data privacy is a human rights issue; and, with core principles like fairness, transparency, integrity, and accountability, the GDPR seems to have been written from this perspective. Privacy regulators are showing a data breach is not prerequisite for a penalty. Any company simply violating the core principles can be sanctioned. In January, Google was hit with a whopping 50 million euro fine (which it is appealing) by the French Data Protection Authority for violating some of the GDPR core principles. The good news is that the Google sanction appears to be an outlier as a majority of the monetary penalties issued to date do not resemble the high maximums permitted under the GDPR. However, I suspect that the politics of the time will start to dictate the type of penalties we will see.

For example, Max Schrems, one of the most well-known privacy activists in Europe, started a non-governmental organization called None of Your Business (“noyb”), focused on fundraising for strategic litigation against companies which it feels have dishonest privacy practices and nonchalant attitudes toward privacy rights. Noyb considers itself to be a watchdog for human rights. It notes on its website that Article 80 of the GDPR provides non-profit organizations with the right to bring class action lawsuits against companies for data privacy violations. With the right funding, such an organization can be a lethal force in the European privacy sphere. As privacy activism heats up, we may be seeing more watchdogs on the lookout.

The GDPR Spirit in the Cloud

Unfortunately, as with most data privacy legislation, the GDPR is not necessarily tailored to cloud services. Some IaaS providers claim that their cloud can make a customer compliant with the GDPR, but given the many different responsibilities of data controllers (you) and data processors (your provider) under the GDPR, this could not be further from the truth. The GDPR is not a compliance mechanism like ISO or PCI. As of now, there is no software or auditing company that can certify you as “compliant” with the GDPR on behalf of the EU Commission. There are some obligations in which the customer/data controller must take the lead, e.g., obtaining consent from data subjects, when required by GDPR, to use personal data for marketing or other purposes. I encourage you to consult with your privacy team to determine your obligations as a data controller under the GDPR.

While your IaaS provider cannot make you compliant, as your data processor, your provider is still an important aspect of your GDPR compliance. The following are basic GDPR obligations with which any provider should be assisting you in complying.

Article 28 Contractual Provisions: Article 28 of the GDPR sets forth required contractual clauses for any contract subject to the GDPR, however, no specific format is specified. As such, it is important to ensure that these clauses are included in your contract in some way, considering the nature and purpose of the data processing. Virtustream’s standard master services agreement includes a data protection schedule that meets the requirements of Article 28.

Articles 44-49 International Transfers: European data privacy legislation has always regulated the transfer of data originating in the European Union to non-European Union countries. With respect to the United States, the Safe Harbor method provided a fairly simple means of transferring data between the United States and the European Union. US entities could publicly attest to Safe Harbor privacy principles, and then data could be transferred from the European Union to the United States without the need for additional contractual assurance. However, in 2015, this agreement was invalidated by the European Court of Justice in a lawsuit that Max Schrems brought against Facebook Ireland. As such, you now need to know where your provider is storing your data. If your data will be hosted in a non-European Union data center, Article 46 lists the permitted methods through which you can transfer data to that data center location. To assist our customers in compliance with this Article, Virtustream offers its customers a choice of data center locations, which include locations in the European Union.

Article 32 Security Measures: The GDPR does not mandate specific security measures; rather, it requires implementation of appropriate technical and organizational measures, considering the nature and purpose of the data processing. Your provider should be transparent with you regarding the security measures, including the quality thereof, which it deploys in your cloud environment. You need to particularly understand whether your provider has (i) an information security policy that includes a governance process to create workforce accountability, (ii) a policy for breach notification, response, and remediation, and (iii) relevant auditing certifications (e.g. SSAE18, SOC2, etc.). Virtustream provides this information in our standard data protection schedule, including an annex describing the security measures that we deploy. 

Virtustream Cloud Security

While the GDPR does not require encryption, I would highly recommend purchasing encryption as part of your IaaS offering. By rendering your data unreadable to potential hackers through encryption, your company could save itself from massive fines and damages, in addition to further protecting your customers’ data. While the GDPR harmonizes data privacy legislation in the European Union, it also provides room for further national data privacy legislation. Thus, data encryption can be useful as an additional step in ensuring compliance with more restrictive national regulations. Further information on Virtustream’s security, such as encryption, can be found here.

As the GDPR spirit continues to spread across Europe and even the world, pay close attention to your data privacy compliance. Given the climate in which the GDPR is being enforced, we can expect to see many more enforcement decisions in 2019. Experts state that authorities in the European Union already have a backlog. If you have any questions on how Virtustream can assist you in complying with the GDPR as your IaaS provider, please do not hesitate to contact us.