Using cloud? Watch out for the regulators, warns Pinsent Masons

Simon Colvin, global head of technology, Media & Telecommunications, at law firm Pinsent Masons explains what cloud providers and customers need to watch out for as regulators step up their stringency

It's not enough for cloud deals to be ad hoc arrangements, nor for standard terms and conditions to apply, as evolving regulations reinforce the need for specific contracts.

That's according to Simon Colvin, global head of technology, Media & Telecommunications, at law firm Pinsent Masons, speaking at today's Cloud and Infrastructure Live! conference in Central London.

"No matter where you are in cloud, you're likely to be dealing with customers, if that means data, it means you have to watch out for the regulator. Otherwise you'll get fines and suffer other implications for your business," began Colvin.

"All GDPR [General Data Protection Regulation] requirements need to be imposed by contract, they can't just be ad hoc arrangements, regulators will come down on you like a ton of bricks if you do that," he added.

That means managing personal data, knowing where it is, the purposes it will be used for and minimising use of personal data, miniming how long it will be stored in the cloud, and being able to control the pull-back of data so it can be returned or destroyed.

"If you're dealing with cloud, you need to be aware of all your obligations, assessing where data goes, how it's outsourced to the cloud, in which countries it's stored, which countries it's processed, where it goes and how long it's stored for. GDPR says it should be stored for as little time as possible, and that all needs to be reflected in the contract."

And some of these obligations make traditional standard cloud terms unworkable, according to Colvin.

"You need to submit to audits and inspections as a cloud provider. You need to let potentially customers and often regulators look at what data is processed, look at the security you have in place, and that often requires physical access by the regulator, so those are provisions which need to be in the contract."

The GDPR also provides for customers to have a degree of control over their data, which can be very hard to implement in reality. Colvin explained that the compromise he's seen that cloud providers say in their terms that if they negotiate new arrangements, the customer has the right to terminate.

"It's not the same as direct control, but it works," said Colvin.
He went on to discuss the idea of the processing of data relating to EU citizens happening in other parts of the world.

"The GDPR doesn't like the processing of data outside the European Economic Area [EEA]. It's more comfortable with data moving around Europe as there's adequate protection there. It manages that by saying if you want it go outside the EEA, the client needs to know, and be able to assess where it's going.

"The regulators also must recognise that other country as having adequate protections, otherwise the GDPR says you need new onerous requirements regarding security, return of data and others."

Colvin also explained that there are new obligations placed upon data processors.

"Previously the data controller had all the obligations not the processor. But the GDPR changed that, now you as a cloud provider can be found liable under the act. There are certain, more limited obligations which cloud provers need to be aware of. These are things like doing what customers require with data handling, but alerting them if what they ask puts the provider in breach of GDPR - so they can refuse to do it.

"There are also requirements under GDPR that the supplier must act under the written instructions of the customer. Regulators are now starting to come down hard under GDPR, so these are unfortunately difficult times for cloud providers," he concluded.

GDPR also applies to the use of AI, as a prominent legal expert recently told Computing.