CHAPTER 8: OTHER LEGAL AND TECHNICAL IMPLICATIONS FOR CLOUD CONTRACTS

We have already discussed the requirements for a contract between a data controller and a data processor, as well as the contractual implications when Cloud processors are based outside the EEA. This chapter looks briefly at other legal and technical issues with data protection implications.

Naturally, while security is important, ensuring that the data is available when required is also a crucial point. Problems could arise from:

Even though the NIS Directive stipulates that Cloud service providers must put “appropriate and proportionate technical and organisational measures” in place to “manage the risks posed” (Article 16(1)), which must take incident handling and business continuity into account, Cloud providers are unlikely to offer guaranteed levels of service, as failures do happen from time to time. Because these risks cannot be ignored, you should ensure contingency plans are in place. This is why the Directive is ultimately about cyber resilience – not just protecting what can be protected, but also ensuring that the organisation is able to recover from any incidents.

Also note that under the NIS Directive, incidents of “substantial impact” have to be reported. However, it is the Cloud service provider’s responsibility to assess the scale of the incident (thereby determining whether it should be reported) – not the supervisory body, and not the data controller.

Retrieving data in the event of a breakdown in the commercial relationship may be less easy to provide for, which is why a readily usable backup, independent of the Cloud provider’s systems, is likely to be essential. Not only may the format in which data is stored make retrieval of useful data awkward, there is also the question of precisely where it is stored and how to access it.

Few Cloud providers control all the assets involved in providing their service. Frequently, there are several links in the chain: the service provider may be a reseller of another company’s product; the data storage may be subcontracted out, and the subcontractor may not own the physical hardware on which the data is stored. Should any of these links break, there is no direct contract between the data controller and the ultimate holder of the data.

To complicate matters further, the different companies in the chain may be based in different legal jurisdictions.

Other points to watch out for in standard terms and conditions include:

These concerns all indicate that it is very important to carefully study the legal and technical underpinning of any Cloud service before entrusting personal data to it – for which you may be held liable – or basing critical processes on Cloud applications. It is not always easy to piece together all the necessary information, and some providers are better than others at making such details all readily available in a comprehensible form. A cursory review is not enough, and those entrusted with the review should have the necessary legal or technical expertise to understand the implications of the information they obtain.

The concerns also contribute to an essential requirement in any Cloud application: ensuring that there is a reliable way to continue business if the relationship with the Cloud provider breaks down in any way. An escrow or recovery procedure should not just be put in place, but also tested and documented so that it can be reliably and promptly brought into action if required.

Ideally, such a procedure should be built into an incident management programme that takes note of both ISO 27001 and ISO 27035 – the Standard for information security incident response.²⁷ If communication with a Cloud provider does break down, this is likely to have a serious impact; as such, it may be a good idea to prepare for this as a specific scenario within such a management programme.

Responding to breaches

The UK’s ICO provides information on security breaches²⁸ and checklists for organisations to prepare for and effectively respond to data breaches in line with the GDPR.²⁹

Most organisations will be concerned at the reputational damage that a serious breach would be likely to bring. It is common practice to have a prepared statement in place that can be adapted to the specific circumstances, and to allocate responsibility for communications with the media and with regulators. It may be worth considering whether arrangements should also be made to involve the Cloud provider in the response, if the breach takes place as a result of a failure for which they are partly or wholly responsible.

With regard to Cloud services, there are other considerations in the wake of a breach. For instance, are you able to segregate systems provided in the Cloud? Do you have reliable access to backups? Does the provider have adequate resources to support recovery and to provide logs and other evidence? If the breach results in a ‘simple’ loss of functionality, does the Cloud provider offer guarantees of continuity? All these questions should be considered when preparing your organisation for a breach.

²⁷ You may wish to consult IT Governance’s Cyber Incident Response Management service, available at: www.itgovernance.co.uk/shop/Product/cyber-incident-response-management.

²⁸ ICO, “Security breaches”, https://ico.org.uk/for-organisations/guide-to-pecr/communications-networks-and-services/security-breaches/.

²⁹ ICO, “Personal data breaches”, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/.