CHAPTER 2: DEFINITIONS
Cloud technologies are governed by a number of laws, so it is useful to understand a few key terms from the GDPR and the NIS Directive.5
Cloud computing service (NIS Directive)
a digital service that enables access to a scalable and elastic pool of shareable computing resources
Note that this is the legal definition; there may be services that do not necessarily meet this definition but are still advertised as operating in the ‘Cloud’, and for your purposes it may be worth treating them as such.
Data controller (GDPR)
the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law
In other words, the entities that determine what the data is processed for and how it is processed. These will usually be the ‘public-facing’ entities that data subjects supply their information to.
Data processor (GDPR)
a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
The data processor is the entity actually processing the data. In many cases, the data controller and the data processor will be the same entity, although a single data controller may have several data processors. If you use a Cloud service provider, your relationship may well be a processor– controller one, with the Cloud provider as the processor. In particular, if you store data in the Cloud, that will be considered processing under the GDPR, making that Cloud provider a processor. There are many grey areas, however, and the specifics – whether the provider is a processor or simply a ‘third party’ – are often down to the exact service provided.
Data subject (GDPR)
an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
The list of identifiers above is not exhaustive: any information, in any format, capable of identifying a data subject is deemed personal data. This includes any correspondence, photographs and CCTV footage – whether stored in the Cloud or not. Note that the consequence of this definition is that you do not even need to know someone’s name; if you can single them out and perhaps treat them differently from anyone else, this would likely make them ‘identifiable’. An online persona may bear no relation to a person’s name in the real world, but the information held about them is still likely to be personal data.
Note also that nationality is of no importance; the data subject is protected by the GDPR as long as they are an EU resident.
Digital service provider (NIS Directive)
any legal person that provides a digital service
A “digital service” is, in turn, defined as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”. The organisations considered DSPs are Cloud service providers, online marketplaces and online search engines.
Incident (NIS Directive)
any event having an actual adverse effect on the security of network and information systems
All incidents are ‘events’, but not all events have negative consequences. It is common to investigate all events to determine whether they are actually incidents.
Personal data (GDPR)
any information relating to an identified or identifiable natural person (‘data subject’)
A data subject can only be a living person – the Regulation does not cover the deceased, corporations or other entities.
Personal data breach (GDPR)
a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed
The majority of data breaches that the GDPR is concerned with are personal data breaches. This differs from the NIS Directive, which is primarily interested in disruptions that affect the availability of essential services.
Processing (GDPR)
any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
This is an extremely broad definition but, again, it is not exhaustive. Functionally, processing may include any interaction you have with personal data, in whatever form it takes. As such, it is hard to see how a Cloud application could operate without ‘processing’ data within this definition.
Special categories of personal data (GDPR)
personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation6
Such data, also referred to as ‘sensitive data’, is not allowed to be processed except under specific circumstances. If such an exception applies, the data will require special treatment. In terms of Cloud computing, the loss or compromise of sensitive personal data would be a very serious matter. Organisations need to therefore be especially certain about how such data is processed; it could, for instance, have an impact on the use of Cloud services or the decision on whether a Cloud approach is appropriate.
Third party (GDPR)
a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data
As mentioned earlier, it may be tricky to establish whether the Cloud service you use can be considered a processor or third party. However, your Cloud provider should be able to help establish the precise details of the relationship.
5 All definitions can be found in Article 4 of the GDPR and the NIS Directive.
6 GDPR, Article 9(1).