Cloud Service Providers (CSPs) of any size risk being hit with major fines if they fail to comply with the terms of the General Data Protection Regulation (GDPR). This is according to managed service provider The Bunker who argues that, irrespective of size and where they sit in the supply chain, CSPs need to have the relevant capabilities and security in their DNA if they wish to achieve and maintain full compliance.
The GDPR comes into effect on 25 May 2018 and is designed to better protect citizens’ data and harmonise legislation across the EU. Speaking at the recent Cloud and Infrastructure Summit 2016, Data Protection expert Kuan Hon, stated that it may be near impossible for cloud computing companies to put the required terms and conditions on their suppliers, unless they are as large as the giant vendors such as Amazon, Google and Microsoft due to the degree of leverage they have over their supply chains. Instead responsibility will flow down the digital supply chain, putting a burden on smaller providers. This, she predicted, will leave the larger players to dominate Europe’s cloud market.
Phil Bindley, CTO at The Bunker, believes that while there is only so far smaller companies can realistically perform due diligence along the supply chain, as these can be extremely extensive, company size will not be the determining factor for success in the European market. Instead, the defining business attribute will be having a culture of information security instilled within the business.
Bindley explains: “The GDPR is a heavyweight piece of legislation and will challenge cloud providers of all sizes, but it is much more onerous to comply with for those that don’t have security in their DNA. It is likely that the herd will thin out over the next few years as less proficient CSPs are forced out of the market. For smaller CSPs it may be hard to put the required conditions on larger suppliers, however, this is not impossible. The GDPR stipulates that there is joint liability between controllers and processors. Consequently, if an individual raises a claim, even those at the top of the chain could be liable. Moreover, it will be the customer’s choice who they want the fines paid by and it is then up to the data processor to be refunded money from the responsible parties within the supply chain.
“As liabilities will be placed on the data controller and the data processor, everyone in the supply chain needs to know their responsibilities and what is expected of them. Cloud Service Providers – the data processors – need to be completely transparent in order to reassure the data controller that they are not introducing a degree of risk in the supply chain. Even the largest suppliers have to be open to testing and must cooperate with audits. Transparency about how data is being handled, who has access to it and where it is stored is key.
“Ultimately, the GDPR is about protecting EU citizens’ data. In order to do this effectively companies must have a culture of information security engrained within their business; taking this approach has the benefit of making companies more competitive by allowing them to manage risk effectively. It doesn’t matter about the size of the supplier, without a secure framework in place people are not going to want to do business with you,” concludes Bindley.