For customers procuring cloud services, it is essential to understand fully the impact of data protection and privacy on the process. The areas of greatest concern are focused specifically on how a customer selects a supplier who is compliant with all the necessary legal obligations that affect it, how to identify and mitigate service risk, and how to allocate liability for the service between a customer and supplier according to the price of the service and risk the supplier accepts. How that liability is effectively allocated and how it impacts sub-contractors in the supply chain is also an issue.
The introduction of GDPR will only increase this scrutiny and associated compliance requirements. Therefore, a clear data strategy with a strong grounding in GDPR compliance is essential, given the well-publicised fines regime that will enable national data protection authorities to levy fines of up to 4% of group worldwide turnover or €20,000,000 (whichever is the higher) for breach of the basic principles of processing in GDPR and data transfers
This paper aims to focus on the infrastructure as a service market, not the wider cloud market, including software as a service. We hope to provide a practical guide to those who are buying cloud services, as we are conscious that good practice promotes not only a safe environment in the UK for businesses to flourish, but delivers on the UK Government’s promise to make the UK the “hardest target” for cybercrime. The challenge is to consider the consequences of what you are doing and the wider repercussions, and whether the law will provide a framework to help you, or present obstacles to a commercially reasonable solution.