Are you a controller of personal data under the General Data Protection Regulation ("GDPR") who uses a cloud services provider ("CSP"), or are you a CSP who acts as a processor to a controller customer who has engaged you to provide it with cloud computing services ("CCS")?
If you answered yes to either question, you are required to be aware of the data protection risks associated with the provision and receipt of CCS and to comply with GDPR obligations appropriate to your status as controller or processor of personal data. Helpfully, the Data Protection Commission ("DPC") has issued a CCS guidance note dated October 2019: "Guidance for Organisations Engaging Cloud Service Providers" which is a useful addition to the range of advice issued by the DPC and provides useful clarification for both customers and suppliers of CCS.
CCS obligations under GDPR
Controllers have an obligation under GDPR to process personal data in a way that ensures appropriate security (as per the data protection principles of integrity, confidentiality and security). The DPC highlights that organisations must ask whether they have appropriate technical and organisational measures in place and ensure their processors do too. The DPC has separately issued guidance for controllers of personal data on data security, which is a reference guide to assessing whether appropriate security measures exist or are required to be implemented. As the DPC states in the CCS guidance "the use of any cloud services as part of [data controllers'] business is an important area in which organisations need to ensure there is adequate security for the personal data they process".
Cloud computing under GDPR
The DPC notes that "people often mean different things when they talk of processing data 'in the cloud'", which is undoubtedly true. The CCS guidance is not intended as a detailed guide to cloud computing or different types of CCS and thus generally describes cloud computing, for both controllers and processors, as "usually involves" an external CSP doing some or all of the processing or storage of personal data "on servers and/or in a data centre" under that CSP's control. The DPC notes that CSPs' will "in many cases" be acting as data processors and reminds CSPs to be aware of their obligations as processors, which are less onerous than those that apply to controllers. Whether a CSP is a data processor or controller is a question of fact, which can be a difficult analysis.