Cloud service providers (CSPs) are at risk of underestimating the impact of new EU data protection legislation on their business models, according to new research from IDC.
The General Data Protection Regulation (GDPR) applies from May 25, 2018, and introduces substantial changes in the way that personal data must be protected. As organizations move to the cloud, they must assure themselves of their service providers’ understanding of the new obligations. Equally, CSPs must understand the extent to which they now have liability under GDPR, and how they can construct workable and valid contractual agreements.
The IDC report notes that CSPs not based in the EU will be impacted by GDPR if they are offering goods or services to EU-based individuals, either directly or via a customer organization such as a retailer or SaaS provider. Importantly, it does not matter if a CSP knows whether its customers are using its service to process personal data. “Ignorance is no defense,” said Brown.
“CSPs must act immediately to consider their position under the GDPR, and review all systems and processes before the 2018 deadline,” said Duncan Brown, associate vice president of security at IDC. “GDPR means increased risk and higher costs for CSPs dealing with personal data.”
Most CSPs will be affected by GDPR because the definition of processing is broad and includes simply storing personal data. Similarly, personal data is also broadly defined and includes any data that relates to an identified or identifiable living human.
“Many CSPs are unaware of these broad scoping definitions and are thus unprepared for their GDPR obligations,” said Brown.
IDC recommends that CSPs understand the cloud supply chain, and conduct due diligence on subprocessors. Audits of subprocessors will be important, and CSPs may also begin auditing their customers to ensure that cloud services are used in a compliant manner.