Why can’t cloud service providers make you GDPR compliant?
Googling “GDPR compliant cloud service providers” delivers a terrifying amount of noise. Not because it is so vast as to make it impossible to wade through, but because there should be silence. Technically, that search should deliver zero results.
Considering the amount of hype from the cloud industry about “GDPR compliance”, this will probably appear counter-intuitive, even mad. But there are two problems with this search string. The first is that compliance is an inappropriate word in the context of GDPR, even to the point of being misleading.
In the IT industry, and indeed across wider business, compliance with regulations or standards frameworks normally entails a one-off demonstration of adherence to certain rules, plus the implication that such adherence will continue.
But proving your adherence to GDPR on or after 25th May 2018 will not bear out such an implication for even a single day into the future. GDPR observance “requires ongoing effort,” according to several of the European national supervising authorities, including the UK’s ICO. This is because GDPR is tackling business’s use of data – the most treasured, but also most fluctuating and erratic asset a business owns. Because of its flexible and inconsistent nature, the way in which a business uses and interacts with it changes constantly. Which means proving that processes are “compliant” with GDPR today means nothing for tomorrow, rendering the term wholly unsuitable for GDPR.
In order to avoid such a dangerous misperception of the regulations, more accurate terminology for the gold standard of GDPR would be an “ongoing observance of obligations”. This at least echoes the need for a constant evaluation of processes and people.
The second flaw with the search phrase above is the cloud service’s role in GDPR. A cloud service provider cannot make you “GDPR-compliant”, regardless of the suitability of the term.
Of course, cloud service providers need to be mindful of their obligations as data processors, which is how most of them will classified under the new regulation. They will need to evidence appropriate and agreed security and data management measures in order to show that they do not themselves, nor allow customers to, put personal data in harm’s way. But in actual fact, the way in which data is stored is only a very small part of GDPR. Assuming that selecting a suitably-qualified cloud service provider will make you “GDPR compliant” ignores almost the entire point of GDPR – it is the handling of data that is mainly in question.
This is reflected in how much more emphasis there is throughout the GDPR language on data controllers, of which your business is probably one. The data controller determines the way in which personal data is used and for what purpose. Most businesses fall into this category, especially in the way in which they use client, marketing or HR data, and are required to ensure that their data management processes are in line with the regulations, from collection through to use and deletion.
In fact, supervisory authorities throughout Europe have agreed that, should a breach occur, showing the right processes were in place or being implemented, goes a long way to turning their mindset from punitive to supportive. The same has not, however, been said of choosing suitable cloud service providers.
Altogether, this means that while cloud service providers cannot “deliver compliance”, they can certainly undermine it. Especially as supervisory authorities consider the data controller to be responsible for the data’s treatment, even in situations where a data processor acting on their behalf has acted inappropriately. A controller may have insisted on a cloud contract with reimbursement clauses for any data privacy fines imposed where the processor is at fault, but the controller remains the guilty party as far the regulations – and reputations – are concerned.
But some cloud service providers are better able to support regulatory adherence than others. Cloud providers that have built their core services around strategic data management principles, rather than the tactical cloud basics of flexibility, uptime and scalability, are infinitely better qualified to support a business’ adherence to GDPR.
This rare breed will be steeped in data management and data privacy legislation, including GDPR, rather than frantically retro-fitting data privacy technologies, principles and processes onto a previously inadequate environment – as some of the biggest names are currently attempting. These specialists will offer access not only to detailed, practical consultancy but also sophisticated tools that can assist customers in fulfilling their obligations on an ongoing basis. Even these providers would still only ever claim they support GDPR observance rather than “deliver compliance”, but as is often the case, it is a matter of degrees.