On May the 4th 2016 history was made. The EU General Data Protection Regulation (EU GDPR) was published and officially comes into effect on the 25th May 2018. It will replace, (yes, replace) EU member states national data protection laws and that includes our UK Data Protection Act.

And while the result of the EU referendum strongly suggests that the UK will leave the EU, that doesn’t alter our obligations or reduce the potential impact of this regulation on global businesses. US businesses and those from other jurisdictions must sit up and take note.

What is the background?

Current EU data protection legislation is implemented as a directive rather than a regulation. A directive stipulates that each European member state must devise and implement their own law that meets the standards set by the EU. By contrast, EU regulations override national law, therefore the incoming EU General Data Protection Regulation will supersede all member states national Data Protection laws. For the UK this means the EU GDPR will supersede the Data Protection Act 1998

The EU GDPR then, is a unifying regulation. And one of the primary reasons it has been developed is to help resolve the challenges that organisations within and outside the EU have dealing with a multitude of country specific data protection regulations.

I don't want to talk too much about the legal jargon, Model Clauses and suchlike, but do want to give you enough information to make sure you are asking the right questions of potential suppliers, and to be aware of the implications for business and the risks of not abiding by the regulation ( EU General Data Protection Regulation)

However, before we move on, here is a refresher on some key terminology. The following statements are taken from the UK’s Data Protection Act 1998:

  • “Data Controller is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processedData
  • Processor, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller”

What are the key differentiators for the new regulations?

Personal data: The regulation’s scope now explicitly includes IP addresses, user ID’s, location data etc;

Right to be erased: Users can demand to be ‘erased’ and hefty fines can be levied on data owners who fail to act according to the regulation.

Geographical location

Businesses outside of the EU who act as data processors or data owners need to be aware that the EU GDPR applies to them if;

  • They operate within the EU. i.e. an office located within the EU
  • Track or monitor EU residents (for example, targeted advertisements)
  • Offer goods and services to EU residents (from anywhere in the world)

Sanctions and compensation

Should a breach occur, data owners and data processors could find themselves liable;

  • End users will be legally entitled to sue for compensation
  • Regulatory sanctions and fines have been increased, and significantly so, as fines of €10’s million or 5% of global turnover (whichever is higher) can be applied

Impact on Data Processors

Arguably, the most important part of the new legislation is the inclusion of new rules that impact data processors. Let’s compare the current directive with the incoming regulation;

Current directive

  • Data Processors must have the correct Information Security capability and be in a position to secure client data
  • Data Processors can only act on data on the authority of the client (Data Owner)

The forthcoming regulation extends the existing directive:

  • Data Processors must retain records of the data under their possession in line with the policy applied to the record
  • Data Processors must maintain the appropriate technical and organisational security capability (InfoSec)
  • Data Breaches - Data Processors are now subject to significant fines – not just the Data Owners!
  • Data Processors must provide notification of breaches within 72 hours to:

The regulators

The data subject

The data owner (if you are a data processor)

This is going to lead to a significant challenge for cloud providers, who as data processors are not liable under the current directive, but will be liable under the EU GRDP.

One key question to the cloud providers is – “ Can you as a cloud service provider survive a fine of €100 million or 5% global turnover for the previous year?”

A silver lining?

There is some relief within the regulation that has the potential to reduce the burden placed on data owners.Broadly speaking, those organisations that take appropriate steps to pseudo anonymise or encrypt data will be deemed to have met individuals ‘reasonable expectations’ of data privacy and protection.

In Summary

Public naming and shaming, end user compensation claims, regulatory sanctions and reputational damage represent some of the potential outcomes for data owners should they, or their data processors, be found in breach of the Regulation. Therefore, it is of critical importance that organisations carefully vet potential Managed Service and Cloud providers to assess their suitability as data processors. This means suppliers have to prove they can secure an organisation’s data and ensure they have the financial resources in place to cope survive should disaster strike.


Do you need advice on how to manage your cloud partner relationship for the best outcome for your data? Contact info@XceedGroup.com