Moving to the cloud or outsourcing your infrastructure offers a variety of benefits - no question about it. However, it also induces some risks, especially in regards of data protection. It requires a serious, meticulous and thoroughly planned process. In this blog, I would like to walk you through some of the most critical areas.
An important recommendation: Stay away from advisors or vendors who says this will be easy. It is not and require time and effort!
Data protection regulation
Let me start by highlighting a couple of reasons for why data protection is so important:
- Protection of personal information is and has been a part of EU's Charter describing fundamental rights of EU citizens for many years. It has however become even more important with the continuous increase of data, online shopping, use of social media and the technological progress in general.
- Financial impacts of violating the regulations or potential consequences on your reputation and client portfolio following a data breach. Safeguarding data from corruption, compromise or loss, is a significant responsibility for all companies.
The abovementioned is only a couple of reasons to why both executive teams and board of directors should be diligent in their handling of personal information – also when moving to the cloud or outsourcing critical infrastructure to a vendor.
A part of GDPR that becomes prevailing when moving to the cloud is data transfers outside of EU/EEA. The GDPR allows for such transfers, but the circumstances have become more rigorous with the CJEU ruling in Schrems II. The reason is the fact that a subject’s rights in the EU/EEA must “travel” with the subject’s data to third countries, which became evident in Schrems II.
In response to this, the European Data Protection Board (EDPB) has issued Recommendations on Supplementary Measures for data transfers to third countries. The Recommendations contain a six-step methodology to assess transfers of personal data from the EU to countries outside of EU. A few examples of tasks from the recommendations is: secure a legal basis of transfer and the performance of a Transfer Impact Assessment (TIA).
When choosing your method of transfer the most common ones are the Commissions Standard Contractual Clauses. However, another could be Binding Corporate Rules (BCR). The latter one requires approval from the Supervisory Authorities and can only be relied upon within consolidated companies.
Along with the methodology the Recommendations contain practical use cases and guidance, where a third country´s legislation would prove problematic and require supplementary measures.
The recommendations emphasize that it is the obligation of both data exporters and data importers to ensure the level of protection set by the EU laws when transferring data to third countries. To comply with the accountability principle under the GDPR, controllers or processors acting as data exporters must ensure that data importers collaborate with them in ensuring protection travels with the data and jointly monitor that the measures taken are effective and sufficient.
Financial institutions and data management
If you are also handling financial data, it adds a number of regulations. One example could be the European Banking Authorities (EBA) guidelines on outsourcing arrangements, which are implemented into national legislation (e.g. the Danish “Outsourcingbekendtgørelse”). Such national implementing will entail differences between the EU countries.
The purpose of these EBA recommendations is to specify the supervisory requirements and processes that apply when institutions outsource their IT infrastructure to cloud service providers. This adds an extra layer to the complexities for both the financial institution and the vendors, and especially when the financial institution is present in several countries.
These regulations obligate a financial institution to secure corresponding contractual obligations throughout the value chain in order to secure compliance. Example could be i) the regulation on a Vendor´s use of subcontractors or ii) the institutions right to perform audits. The Client must secure corresponding regulation throughout the stream, which can prove to be difficult when negotiating with global cloud providers.
Conclusion
The purpose of all of these regulations is to protect personal and financial data, which is a necessary thing. It might look overwhelming, but it is definitely doable. However, it is also important to remember that there is a portion of interpretation around these regulations, which might affect things over time. You need to stay updated with the latest changes to legislation, recommendations and rulings. At CGI we monitor the situation closely and support our customers in their individual journey.