How will Data Transfers and GDPR change how companies manage Personal Data?
At the time of writing - the top 5 cloud based storage provides have a market share of about 60%. Amazon (AWS) are the largest of these coming in at 44% of the total market. So, if you are using cloud based software - your data is probably on one of these servers. If this software is a CRM, accounting package, HR platforms, timesheets etc... then you are more than likely storing Personal Data. You are the Controller of this personal data and have a responsibility to ensure it is stored and processed in a manner that is GDPR compliant. Understanding where the data is stored is a big part of this. We use Xero (https://www.xero.com/ie/about/terms/privacy/) as our Accounting software - great technology. Xero stores the Data in a mix of Rackspace, AWS and Azure. Where are these data centers located?
Interestingly, 30% of AWS servers are in places that the EU does not consider to provide an “adequate level of protection” of personal data.
The Table below breaks this down:
Azure has Data centers in very similar locations to AWS:
Rackspace have 9 Data centers in the US, UK, China and Australia.
So where is my clients Personal Data stored?
This is a surprisingly difficult question to answer. If I upload personal data to Xero, which in turn hosts it in one of the 3 mentioned operators. Can I be certain that my data is stored in the EU? Amazon state on their website: Customers choose the region(s) in which their customer content will be stored. We will not move or replicate customer content outside of the customer’s chosen region(s), except as legally required and as necessary to maintain the AWS services and provide them to our customers and their end users. The above looks promising but what scope does the statement "as necessary to maintain the AWS services" give them? Any lawyers out there have a view?
So I upload personal Data to my Xero account, what should I do?
As the data controller, I think you need to do the following:
- Contact Xero and ask them where the data is stored? Ask them to ensure that the data is stored in an adequate location.
- Ensure that this communication is recorded and maintained in your Data Protection/GDPR file.
The response from Xero (and any other cloud based provider) is not going to be 100% watertight. So consent comes into this.
- Ensure that all your customers (subjects) have consented to this data being stored in the cloud and in locations that are not deemed adequate by the EU (execution here will be interesting!).
I am hoping that all cloud based applications like Xero put Double Opt-in for any customer data added to their systems. For more on Double Opt-in see my article from a couple of weeks ago. It can be argued that consent in the above circumstances is not required, but I guess it depends on how compliant you want to be? My research tells me that there is clearly a chance that Personal Data being held in the cloud will be stored in a country that the EU deems as not ensuring an “adequate level of protection.” If this is the case, then you will need to get the consent of your customer (subject). Is this way over the top?
Suffering from GDPR anxiety, get in touch with us - we might be able to help: