06 Jun 2017
LONDON, June 7, 2017 — According to new research from International Data Corporation (IDC), cloud service providers are at risk of underestimating the impact of new data protection legislation on their business models. The General Data Protection Regulation (GDPR) applies from May 25, 2018, and introduces substantial changes in the way that personal data must be protected. As organizations move to the cloud they must assure themselves of their service providers' understanding of the new obligations. Equally, CSPs must understand the extent to which they now have liability under GDPR, and how they can construct workable and valid contractual agreements.
"CSPs must act immediately to consider their position under the GDPR, and review all systems and processes before the 2018 deadline," said Duncan Brown, associate vice president of security at IDC. "GDPR means increased risk and higher costs for CSPs dealing with personal data."
Most CSPs will be affected by GDPR because the definition of processing is broad and includes simply storing personal data. Similarly, personal data is also broadly defined and includes any data that relates to an identified or identifiable living human. "Many CSPs are unaware of these broad scoping definitions and are thus unprepared for their GDPR obligations," said Brown.
The IDC report — The Impact of GDPR on Cloud Service Providers — is divided into two parts. The first examines general considerations for contracts and liability, while the second focuses on security, international data transfers, and other considerations.
The report notes that CSPs not based in the EU will be impacted by GDPR if they are offering goods or services to EU-based individuals, either directly or via a customer organization such as a retailer or SaaS provider. Importantly, it does not matter if a CSP knows whether its customers are using its service to process personal data. "Ignorance is no defense," said Brown.
IDC recommends that CSPs understand the cloud supply chain, and conduct due diligence on subprocessors. Audits of subprocessors will be important, and CSPs may also begin auditing their customers to ensure that cloud services are used in a compliant manner.
The Impact of GDPR on Cloud Service Providers — Part 1: General Considerations for Contracts and Liability (IDC #EMEA42627817, May 2017)
The Impact of GDPR on Cloud Service Providers — Part 2: Security, Data Transfer, and Other Considerations (IDC #EMEA42627917, May 2017)
Click here to listen to a recent webcast entitled “Countdown To GDPR Compliance: European Organizations’ Readiness”
International Data Corporation (IDC) is the premier global provider of market intelligence, advisory services, and events for the information technology, telecommunications, and consumer technology markets. IDC helps IT professionals, business executives, and the investment community to make fact-based decisions on technology purchases and business strategy. More than 1,000 IDC analysts provide global, regional, and local expertise on technology and industry opportunities and trends in over 110 countries worldwide. For more than 50 years, IDC has provided strategic insights to help our clients achieve their key business objectives. IDC is a subsidiary of IDG, the world's leading technology media, research, and events company. You can learn more about IDC by visiting www.idc.com.
For more information, contact: