Since the enactment of the EU GDPR in May, the UK’s Information Commissioner’s Office has levelled several penalties. Uber is the most recent company to be dealt a GDPR fine. The grounds were failing to protect personal data during a serious hacking incident. Downloaded from Uber’s cloud storage system were millions of UK customers’ names, email addresses and phone numbers. Astonishingly, Uber did not notify customers of this major breach for over 12 months. Instead, they paid the ransom demanded by the hackers to destroy the information.
This ICO GDPR fine confirms predictions that data protection agencies in Europe will not hold back in enforcing the regulation. The ICO for example, have increased internal resources and will investigate complaints. The intention is clear that they will issue a GDPR fine if appropriate.
This incident begs the question – how secure is Uber’s cloud storage system?
Supplier GDPR compliance
If your company stores customer personal data, ask yourself, is your SaaS Supplier GDPR-Compliant?
All organisations big and small around the globe that process any personal data about citizens in the EU should take serious action to comply. This includes non-EU organisations as this fine demonstrates. To ensure compliance, audits will need to be conducted on how all personal data is processed. Historically and in the future.
Before entering into a contract with a Software as a Service (SaaS) supplier, you should consider what steps they are taking to meet the standards set out by the GDPR. What information security management system do they have in place to ensure they are compliant with government cloud implementation standards? Do you know if you have rights to delete your customers’ stored data if they demand it? Can you easily find that user data and send it to them in a suitable format? Is the data centre that stores your personal data accredited to ISO 27001?
Processors and controllers
The GDPR requires the controller – the company – to sign a data processing agreement with the processor – the cloud provider – which stipulates a number of obligations such as:
- only acting on the instructions of the controller,
- taking adequate security measures to protect you from data loss,
- assisting in responses to requests for data,
- removing traces of data after the termination of service.
Similarly, the company is also required to meet the obligations set out by the GDPR. This means they must be able to demonstrate what processes are implemented to guarantee data protection and compliance.
The processor is liable for any damages relating to poor compliance which includes acting against the controller’s wishes or data breaches caused by the processor. However, you, the company, also must take responsibility for the actions of the processor. This means you should take care when engaging with a supplier that has little to no track record or a history of negligence.
It is important to always check the Terms and Conditions. Most cloud providers provide services on the basis of terms and conditions which do not meet the strict requirements set out by the GDPR. Unfortunately they are often non-negotiable. If this is the case you need to change suppliers.