Compliance as a Service
34 Pages Posted: 14 Nov 2018
Date Written: November 14, 2018
Abstract
This paper provides an empirical review of GDPR-related marketing communications and data processing agreements of 13 cloud service providers (‘CSPs’). Our analysis focuses on how these agreements reflect and deal with the key data protection obligations imposed on controllers and processors under Article 28 GDPR. More specifically, we discuss issues of engaging sub-processors, complying with security and personal data breach notification obligations, complying with the obligations to keep records of processing activities and carry out audits, managing data subjects’ requests and complying with obligations regarding transfers of personal data outside the EEA.
Article 28 GDPR creates an inter-dependency between controllers and processors for compliance purposes. The CSPs surveyed not only provide assurances regarding their own GDPR compliance, but also commit to assisting their customers to comply. We argue that this symbiotic framework will facilitate the development of a Compliance as a Service model, particularly in areas with growing technical challenges such as security arrangements, identification of data breaches, and management of audits. Even though a controller’s GDPR compliance cannot be outsourced completely, we argue that it is likely that controllers will become increasingly dependent on CSPs for various compliance purposes.
Keywords: cloud, GDPR, cloud service providers, compliance, service, data protection, personal data, controllers, processors, data subjects, security, personal data breach notification, audit, transfers
JEL Classification: K12, K19, K2, K20, K23, K29, K30, K33, K39, L86, M13, O33
Suggested Citation: Suggested Citation