Compliance as a Service

34 Pages Posted: 14 Nov 2018

See all articles by Dimitra Kamarinou

Dimitra Kamarinou

Queen Mary University of London, School of Law - Centre for Commercial Law Studies

Christopher Millard

Queen Mary University of London, School of Law - Centre for Commercial Law Studies

Isabella Oldani

Queen Mary University of London, School of Law

Date Written: November 14, 2018

Abstract

This paper provides an empirical review of GDPR-related marketing communications and data processing agreements of 13 cloud service providers (‘CSPs’). Our analysis focuses on how these agreements reflect and deal with the key data protection obligations imposed on controllers and processors under Article 28 GDPR. More specifically, we discuss issues of engaging sub-processors, complying with security and personal data breach notification obligations, complying with the obligations to keep records of processing activities and carry out audits, managing data subjects’ requests and complying with obligations regarding transfers of personal data outside the EEA.

Article 28 GDPR creates an inter-dependency between controllers and processors for compliance purposes. The CSPs surveyed not only provide assurances regarding their own GDPR compliance, but also commit to assisting their customers to comply. We argue that this symbiotic framework will facilitate the development of a Compliance as a Service model, particularly in areas with growing technical challenges such as security arrangements, identification of data breaches, and management of audits. Even though a controller’s GDPR compliance cannot be outsourced completely, we argue that it is likely that controllers will become increasingly dependent on CSPs for various compliance purposes.

Keywords: cloud, GDPR, cloud service providers, compliance, service, data protection, personal data, controllers, processors, data subjects, security, personal data breach notification, audit, transfers

JEL Classification: K12, K19, K2, K20, K23, K29, K30, K33, K39, L86, M13, O33

Suggested Citation

Kamarinou, Dimitra and Millard, Christopher and Oldani, Isabella, Compliance as a Service (November 14, 2018). Queen Mary School of Law Legal Studies Research Paper No. 287/2018, Available at SSRN: https://ssrn.com/abstract=3284497

Dimitra Kamarinou (Contact Author)

Queen Mary University of London, School of Law - Centre for Commercial Law Studies ( email )

67-69 Lincoln’s Inn Fields
London, WC2A 3JB
United Kingdom

HOME PAGE: http://www.law.qmul.ac.uk/staff/kamarinou.html

Christopher Millard

Queen Mary University of London, School of Law - Centre for Commercial Law Studies ( email )

67-69 Lincoln's Inn Fields
London, EC2A 3JB
United Kingdom

HOME PAGE: http://www.law.qmul.ac.uk/staff/millard.html

Isabella Oldani

Queen Mary University of London, School of Law ( email )

67-69 Lincoln’s Inn Fields
London, WC2A 3JB
United Kingdom

Do you have negative results from your research you’d like to share?

Paper statistics

Downloads
1,048
Abstract Views
4,489
Rank
39,304
PlumX Metrics